From b28aaf208c3c42452d3204f9f2b5e09e4be41dd6 Mon Sep 17 00:00:00 2001 From: Rodrigo Agundez Date: Wed, 22 Oct 2025 19:58:47 +0800 Subject: [PATCH 1/3] Add CORS middleware and update documentation --- README.md | 74 ++++++++--------- .../configuration/environment-variables.md | 76 +++++++++--------- .../configuration/settings-classes.md | 80 +++++++++++-------- src/app/core/config.py | 14 +++- src/app/core/setup.py | 14 ++++ 5 files changed, 145 insertions(+), 113 deletions(-) diff --git a/README.md b/README.md index 283ac04a..4ff28bc8 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@

---- +______________________________________________________________________ ## 📖 Documentation @@ -52,7 +52,7 @@ This README provides a quick reference for LLMs and developers, but the full documentation contains detailed guides, examples, and best practices. ---- +______________________________________________________________________ ## 0. About @@ -78,6 +78,7 @@ This README provides a quick reference for LLMs and developers, but the full doc 💬 **[Join our Discord community](https://discord.com/invite/TEmPs22gqB)** - Connect with other developers using the FastAPI boilerplate! Our Discord server features: + - **🤝 Networking** - Connect with fellow developers and share experiences - **💡 Product Updates** - Stay updated with FastroAI and our other products - **📸 Showcase** - Share what you've built using our tools @@ -140,7 +141,7 @@ Whether you're just getting started or building production applications, our com 1. [Admin Panel](#513-admin-panel) 1. [Running](#514-running) 1. [Create Application](#515-create-application) - 2. [Opting Out of Services](#516-opting-out-of-services) + 1. [Opting Out of Services](#516-opting-out-of-services) 1. [Running in Production](#6-running-in-production) 1. [Uvicorn Workers with Gunicorn](#61-uvicorn-workers-with-gunicorn) 1. [Running With NGINX](#62-running-with-nginx) @@ -289,6 +290,7 @@ CRUD_ADMIN_REDIS_SSL=false # default=false, use SSL for Redis co ``` **Session Backend Options:** + - **Memory** (default): Development-friendly, sessions reset on restart - **Redis** (production): High performance, scalable, persistent sessions - **Database**: Audit-friendly with admin visibility @@ -600,7 +602,7 @@ And to apply the migration uv run alembic upgrade head ``` -> [!NOTE] +> \[!NOTE\] > If you do not have uv, you may run it without uv after running `pip install alembic` ## 5. Extending @@ -1057,11 +1059,7 @@ router = APIRouter(tags=["entities"]) @router.get("/entities/{id}", response_model=EntityRead) -async def read_entity( - request: Request, - id: int, - db: Annotated[AsyncSession, Depends(async_get_db)] -): +async def read_entity(request: Request, id: int, db: Annotated[AsyncSession, Depends(async_get_db)]): entity = await crud_entity.get(db=db, id=id) if entity is None: # Explicit None check @@ -1071,10 +1069,7 @@ async def read_entity( @router.get("/entities", response_model=List[EntityRead]) -async def read_entities( - request: Request, - db: Annotated[AsyncSession, Depends(async_get_db)] -): +async def read_entities(request: Request, db: Annotated[AsyncSession, Depends(async_get_db)]): entities = await crud_entity.get_multi(db=db, is_deleted=False) return entities ``` @@ -1150,10 +1145,7 @@ from app.schemas.entity import EntityRead @router.get("/entities", response_model=PaginatedListResponse[EntityRead]) async def read_entities( - request: Request, - db: Annotated[AsyncSession, Depends(async_get_db)], - page: int = 1, - items_per_page: int = 10 + request: Request, db: Annotated[AsyncSession, Depends(async_get_db)], page: int = 1, items_per_page: int = 10 ): entities_data = await crud_entity.get_multi( db=db, @@ -1173,18 +1165,15 @@ async def read_entities( To add exceptions you may just import from `app/core/exceptions/http_exceptions` and optionally add a detail: ```python -from app.core.exceptions.http_exceptions import ( - NotFoundException, - ForbiddenException, - DuplicateValueException -) +from app.core.exceptions.http_exceptions import NotFoundException, ForbiddenException, DuplicateValueException + @router.post("/entities", response_model=EntityRead, status_code=201) async def create_entity( request: Request, entity_data: EntityCreate, db: Annotated[AsyncSession, Depends(async_get_db)], - current_user: Annotated[UserRead, Depends(get_current_user)] + current_user: Annotated[UserRead, Depends(get_current_user)], ): # Check if entity already exists if await crud_entity.exists(db=db, name=entity_data.name) is True: @@ -1204,11 +1193,7 @@ async def create_entity( @router.get("/entities/{id}", response_model=EntityRead) -async def read_entity( - request: Request, - id: int, - db: Annotated[AsyncSession, Depends(async_get_db)] -): +async def read_entity(request: Request, id: int, db: Annotated[AsyncSession, Depends(async_get_db)]): entity = await crud_entity.get(db=db, id=id) if entity is None: # Explicit None check @@ -1399,7 +1384,7 @@ For `client-side caching`, all you have to do is let the `Settings` class define Depending on the problem your API is solving, you might want to implement a job queue. A job queue allows you to run tasks in the background, and is usually aimed at functions that require longer run times and don't directly impact user response in your frontend. As a rule of thumb, if a task takes more than 2 seconds to run, can be executed asynchronously, and its result is not needed for the next step of the user's interaction, then it is a good candidate for the job queue. -> [!TIP] +> \[!TIP\] > Very common candidates for background functions are calls to and from LLM endpoints (e.g. OpenAI or Openrouter). This is because they span tens of seconds and often need to be further parsed and saved. #### Background task creation @@ -1418,6 +1403,7 @@ Then add the function to the `WorkerSettings` class `functions` variable in `app from .functions import sample_background_task from .your_module import sample_complex_background_task + class WorkerSettings: functions = [sample_background_task, sample_complex_background_task] ... @@ -1442,7 +1428,7 @@ async def get_task(task_id: str): And finally run the worker in parallel to your fastapi application. -> [!IMPORTANT] +> \[!IMPORTANT\] > For any change to the `sample_background_task` to be reflected in the worker, you need to restart the worker (e.g. the docker container). If you are using `docker compose`, the worker is already running. @@ -1462,6 +1448,7 @@ To do this, you can add the database session to the `ctx` object in the `startup from arq.worker import Worker from ...core.db.database import async_get_db + async def startup(ctx: Worker) -> None: ctx["db"] = await anext(async_get_db()) logging.info("Worker Started") @@ -1477,17 +1464,16 @@ This will allow you to have the async database session always available in any b ```python from arq.worker import Worker + async def your_background_function( ctx: Worker, post_id: int, - ... ) -> Any: db = ctx["db"] post = crud_posts.get(db=db, schema_to_select=PostRead, id=post_id) - ... ``` -> [!WARNING] +> \[!WARNING\] > When using database sessions, you will want to use Pydantic objects. However, these objects don't mingle well with the seralization required by ARQ tasks and will be retrieved as a dictionary. ### 5.11 Rate Limiting @@ -1661,6 +1647,7 @@ This authentication setup in the provides a robust, secure, and user-friendly wa The boilerplate includes a powerful web-based admin interface built with [CRUDAdmin](https://github.com/benavlabs/crudadmin) that provides a comprehensive database management system. > **About CRUDAdmin**: CRUDAdmin is a modern admin interface generator for FastAPI applications. Learn more at: +> > - **📚 Documentation**: [benavlabs.github.io/crudadmin](https://benavlabs.github.io/crudadmin/) > - **💻 GitHub**: [github.com/benavlabs/crudadmin](https://github.com/benavlabs/crudadmin) @@ -1685,6 +1672,7 @@ http://localhost:8000/admin ``` Use the admin credentials you defined in your `.env` file: + - Username: `ADMIN_USERNAME` - Password: `ADMIN_PASSWORD` @@ -1709,6 +1697,7 @@ To add new models to the admin panel, edit `src/app/admin/views.py`: from your_app.models import YourModel from your_app.schemas import YourCreateSchema, YourUpdateSchema + def register_admin_views(admin: CRUDAdmin) -> None: # ... existing models ... @@ -1716,7 +1705,7 @@ def register_admin_views(admin: CRUDAdmin) -> None: model=YourModel, create_schema=YourCreateSchema, update_schema=YourUpdateSchema, - allowed_actions={"view", "create", "update", "delete"} + allowed_actions={"view", "create", "update", "delete"}, ) ``` @@ -1731,7 +1720,7 @@ admin.add_view( create_schema=ArticleCreate, update_schema=ArticleUpdate, select_schema=ArticleSelect, # Exclude problematic fields from read operations - allowed_actions={"view", "create", "update", "delete"} + allowed_actions={"view", "create", "update", "delete"}, ) # Password field handling @@ -1740,7 +1729,7 @@ admin.add_view( create_schema=UserCreateWithPassword, update_schema=UserUpdateWithPassword, password_transformer=password_transformer, # Handles password hashing - allowed_actions={"view", "create", "update"} + allowed_actions={"view", "create", "update"}, ) # Read-only models @@ -1748,7 +1737,7 @@ admin.add_view( model=AuditLog, create_schema=AuditLogSchema, update_schema=AuditLogSchema, - allowed_actions={"view"} # Only viewing allowed + allowed_actions={"view"}, # Only viewing allowed ) ``` @@ -1758,9 +1747,9 @@ For production environments, consider using Redis for better performance: ```python # Enable Redis sessions in your environment -CRUD_ADMIN_REDIS_ENABLED=true -CRUD_ADMIN_REDIS_HOST=localhost -CRUD_ADMIN_REDIS_PORT=6379 +CRUD_ADMIN_REDIS_ENABLED = true +CRUD_ADMIN_REDIS_HOST = localhost +CRUD_ADMIN_REDIS_PORT = 6379 ``` ### 5.14 Running @@ -1783,6 +1772,7 @@ And for the worker: ```sh uv run arq src.app.core.worker.settings.WorkerSettings ``` + ### 5.15 Create Application If you want to stop tables from being created every time you run the api, you should disable this here: @@ -1823,6 +1813,7 @@ env_path = os.path.join(current_file_dir, "..", "..", ".env") config = Config(env_path) ... + class Settings( AppSettings, PostgresSettings, @@ -1836,6 +1827,7 @@ class Settings( DefaultRateLimitSettings, CRUDAdminSettings, EnvironmentSettings, + CORSSettings, ): pass @@ -1855,6 +1847,7 @@ class Settings( ClientSideCacheSettings, DefaultRateLimitSettings, EnvironmentSettings, + CORSSettings, ): pass ``` @@ -2126,6 +2119,7 @@ import pytest from unittest.mock import AsyncMock, patch from src.app.api.v1.users import write_user + class TestWriteUser: @pytest.mark.asyncio async def test_create_user_success(self, mock_db, sample_user_data): diff --git a/docs/user-guide/configuration/environment-variables.md b/docs/user-guide/configuration/environment-variables.md index 199a5297..3eaeb094 100644 --- a/docs/user-guide/configuration/environment-variables.md +++ b/docs/user-guide/configuration/environment-variables.md @@ -92,10 +92,8 @@ REFRESH_TOKEN_EXPIRE_DAYS=7 - `REFRESH_TOKEN_EXPIRE_DAYS`: How long refresh tokens remain valid !!! danger "Security Warning" - Never use default values in production. Generate a strong secret key: - ```bash - openssl rand -hex 32 - ``` +Never use default values in production. Generate a strong secret key: +`bash openssl rand -hex 32 ` ### Redis Configuration @@ -107,7 +105,7 @@ REDIS_CACHE_HOST="localhost" # Use "redis" for Docker Compose REDIS_CACHE_PORT=6379 # ------------- redis queue ------------- -REDIS_QUEUE_HOST="localhost" # Use "redis" for Docker Compose +REDIS_QUEUE_HOST="localhost" # Use "redis" for Docker Compose REDIS_QUEUE_PORT=6379 # ------------- redis rate limit ------------- @@ -256,7 +254,7 @@ The main `Settings` class inherits from multiple setting groups: ```python class Settings( AppSettings, - PostgresSettings, + PostgresSettings, CryptSettings, FirstUserSettings, RedisCacheSettings, @@ -265,6 +263,7 @@ class Settings( RedisRateLimiterSettings, DefaultRateLimitSettings, EnvironmentSettings, + CORSSettings, ): pass ``` @@ -279,6 +278,7 @@ class CustomSettings(BaseSettings): CUSTOM_TIMEOUT: int = 30 ENABLE_FEATURE_X: bool = False + # Add to main Settings class class Settings( AppSettings, @@ -300,7 +300,7 @@ class Settings( CryptSettings, FirstUserSettings, # Removed: RedisCacheSettings - # Removed: RedisQueueSettings + # Removed: RedisQueueSettings # Removed: RedisRateLimiterSettings EnvironmentSettings, ): @@ -326,21 +326,23 @@ SQLAlchemy connection pool settings in `src/app/core/db/database.py`: ```python engine = create_async_engine( DATABASE_URL, - pool_size=20, # Number of connections to maintain - max_overflow=30, # Additional connections allowed - pool_timeout=30, # Seconds to wait for connection - pool_recycle=1800, # Seconds before connection refresh + pool_size=20, # Number of connections to maintain + max_overflow=30, # Additional connections allowed + pool_timeout=30, # Seconds to wait for connection + pool_recycle=1800, # Seconds before connection refresh ) ``` ### Database Best Practices **Connection Pool Sizing:** + - Start with `pool_size=20`, `max_overflow=30` - Monitor connection usage and adjust based on load - Use connection pooling monitoring tools **Migration Strategy:** + - Always backup database before running migrations - Test migrations on staging environment first - Use `alembic revision --autogenerate` for model changes @@ -357,9 +359,7 @@ def create_access_token(data: dict, expires_delta: timedelta = None): if expires_delta: expire = datetime.utcnow() + expires_delta else: - expire = datetime.utcnow() + timedelta( - minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES - ) + expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES) ``` ### CORS Configuration @@ -371,7 +371,7 @@ app.add_middleware( CORSMiddleware, allow_origins=["http://localhost:3000"], # Specify allowed origins allow_credentials=True, - allow_methods=["GET", "POST"], # Specify allowed methods + allow_methods=["GET", "POST"], # Specify allowed methods allow_headers=["*"], ) ``` @@ -380,10 +380,7 @@ app.add_middleware( ```python # Never use wildcard (*) in production -allow_origins=[ - "https://yourapp.com", - "https://www.yourapp.com" -], +allow_origins = (["https://yourapp.com", "https://www.yourapp.com"],) ``` ### Security Headers @@ -393,6 +390,7 @@ Add security headers middleware: ```python from starlette.middleware.base import BaseHTTPMiddleware + class SecurityHeadersMiddleware(BaseHTTPMiddleware): async def dispatch(self, request, call_next): response = await call_next(request) @@ -416,11 +414,7 @@ from logging.handlers import RotatingFileHandler LOGGING_LEVEL = logging.INFO # Configure file rotation -file_handler = RotatingFileHandler( - 'logs/app.log', - maxBytes=10485760, # 10MB - backupCount=5 # Keep 5 backup files -) +file_handler = RotatingFileHandler("logs/app.log", maxBytes=10485760, backupCount=5) # 10MB # Keep 5 backup files ``` ### Structured Logging @@ -435,7 +429,7 @@ structlog.configure( structlog.stdlib.filter_by_level, structlog.stdlib.add_logger_name, structlog.stdlib.add_log_level, - structlog.processors.JSONRenderer() + structlog.processors.JSONRenderer(), ], logger_factory=structlog.stdlib.LoggerFactory(), ) @@ -445,11 +439,7 @@ structlog.configure( ```python # Environment-specific log levels -LOG_LEVELS = { - "local": logging.DEBUG, - "staging": logging.INFO, - "production": logging.WARNING -} +LOG_LEVELS = {"local": logging.DEBUG, "staging": logging.INFO, "production": logging.WARNING} LOGGING_LEVEL = LOG_LEVELS.get(settings.ENVIRONMENT, logging.INFO) ``` @@ -500,12 +490,12 @@ Add custom middleware in `src/app/core/setup.py`: ```python def create_application(router, settings, **kwargs): app = FastAPI(...) - + # Add custom middleware app.add_middleware(CustomMiddleware, setting=value) app.add_middleware(TimingMiddleware) app.add_middleware(RequestIDMiddleware) - + return app ``` @@ -516,10 +506,11 @@ Implement feature flags: ```python class FeatureSettings(BaseSettings): ENABLE_ADVANCED_CACHING: bool = False - ENABLE_ANALYTICS: bool = True + ENABLE_ANALYTICS: bool = True ENABLE_EXPERIMENTAL_FEATURES: bool = False ENABLE_API_VERSIONING: bool = True + # Use in endpoints if settings.ENABLE_ADVANCED_CACHING: # Advanced caching logic @@ -536,11 +527,11 @@ Add validation to prevent misconfiguration: def validate_settings(): if not settings.SECRET_KEY: raise ValueError("SECRET_KEY must be set") - + if settings.ENVIRONMENT == "production": if settings.SECRET_KEY == "dev-secret-key": raise ValueError("Production must use secure SECRET_KEY") - + if settings.DEBUG: raise ValueError("DEBUG must be False in production") ``` @@ -563,6 +554,7 @@ async def startup_event(): ### Common Issues **Environment Variables Not Loading:** + ```bash # Check file location and permissions ls -la src/.env @@ -575,6 +567,7 @@ python -c "from src.app.core.config import settings; print(settings.APP_NAME)" ``` **Database Connection Failed:** + ```bash # Test connection manually psql -h localhost -U postgres -d myapp @@ -586,13 +579,14 @@ brew services list | grep postgresql ``` **Redis Connection Failed:** + ```bash # Test Redis connection redis-cli -h localhost -p 6379 ping # Check Redis status systemctl status redis -# or on macOS +# or on macOS brew services list | grep redis ``` @@ -606,10 +600,11 @@ import asyncio from src.app.core.config import settings from src.app.core.db.database import async_get_db + async def test_config(): print(f"App: {settings.APP_NAME}") print(f"Environment: {settings.ENVIRONMENT}") - + # Test database try: db = await anext(async_get_db()) @@ -617,20 +612,23 @@ async def test_config(): await db.close() except Exception as e: print(f"✗ Database connection failed: {e}") - + # Test Redis (if enabled) try: from src.app.core.utils.cache import redis_client + await redis_client.ping() print("✓ Redis connection successful") except Exception as e: print(f"✗ Redis connection failed: {e}") + if __name__ == "__main__": asyncio.run(test_config()) ``` Run with: + ```bash uv run python test_config.py -``` \ No newline at end of file +``` diff --git a/docs/user-guide/configuration/settings-classes.md b/docs/user-guide/configuration/settings-classes.md index 2a9e932b..277ef8af 100644 --- a/docs/user-guide/configuration/settings-classes.md +++ b/docs/user-guide/configuration/settings-classes.md @@ -10,7 +10,7 @@ The main `Settings` class inherits from multiple specialized setting groups: # src/app/core/config.py class Settings( AppSettings, - PostgresSettings, + PostgresSettings, CryptSettings, FirstUserSettings, RedisCacheSettings, @@ -19,9 +19,11 @@ class Settings( RedisRateLimiterSettings, DefaultRateLimitSettings, EnvironmentSettings, + CORSSettings, ): pass + # Single instance used throughout the app settings = Settings() ``` @@ -29,6 +31,7 @@ settings = Settings() ## Built-in Settings Groups ### Application Settings + Basic app metadata and configuration: ```python @@ -42,6 +45,7 @@ class AppSettings(BaseSettings): ``` ### Database Settings + PostgreSQL connection configuration: ```python @@ -63,6 +67,7 @@ class PostgresSettings(BaseSettings): ``` ### Security Settings + JWT and authentication configuration: ```python @@ -81,6 +86,7 @@ class CryptSettings(BaseSettings): ``` ### Redis Settings + Separate Redis instances for different services: ```python @@ -88,16 +94,19 @@ class RedisCacheSettings(BaseSettings): REDIS_CACHE_HOST: str = "localhost" REDIS_CACHE_PORT: int = 6379 + class RedisQueueSettings(BaseSettings): REDIS_QUEUE_HOST: str = "localhost" REDIS_QUEUE_PORT: int = 6379 + class RedisRateLimiterSettings(BaseSettings): REDIS_RATE_LIMIT_HOST: str = "localhost" REDIS_RATE_LIMIT_PORT: int = 6379 ``` ### Rate Limiting Settings + Default rate limiting configuration: ```python @@ -107,6 +116,7 @@ class DefaultRateLimitSettings(BaseSettings): ``` ### Admin User Settings + First superuser account creation: ```python @@ -146,6 +156,7 @@ class CustomSettings(BaseSettings): raise ValueError("MAX_UPLOAD_SIZE cannot exceed 100MB") return v + # Add to main Settings class class Settings( AppSettings, @@ -194,12 +205,12 @@ class FeatureSettings(BaseSettings): ENABLE_CACHING: bool = True ENABLE_RATE_LIMITING: bool = True ENABLE_BACKGROUND_JOBS: bool = True - + # Optional features ENABLE_ANALYTICS: bool = False ENABLE_EMAIL_NOTIFICATIONS: bool = False ENABLE_FILE_UPLOADS: bool = False - + # Experimental features ENABLE_EXPERIMENTAL_API: bool = False ENABLE_BETA_FEATURES: bool = False @@ -258,10 +269,10 @@ class SecuritySettings(BaseSettings): raise ValueError("SSL_CERT_PATH required when HTTPS enabled") if not self.SSL_KEY_PATH: raise ValueError("SSL_KEY_PATH required when HTTPS enabled") - + if self.FORCE_SSL and not self.ENABLE_HTTPS: raise ValueError("Cannot force SSL without enabling HTTPS") - + return self ``` @@ -279,10 +290,10 @@ class EnvironmentSettings(BaseSettings): if self.ENVIRONMENT == "production": if self.DEBUG: raise ValueError("DEBUG must be False in production") - + if self.ENVIRONMENT not in ["local", "staging", "production"]: raise ValueError("ENVIRONMENT must be local, staging, or production") - + return self ``` @@ -295,10 +306,10 @@ Create computed values from other settings: ```python class StorageSettings(BaseSettings): STORAGE_TYPE: str = "local" # local, s3, gcs - + # Local storage LOCAL_STORAGE_PATH: str = "./uploads" - + # S3 settings AWS_ACCESS_KEY_ID: str = "" AWS_SECRET_ACCESS_KEY: str = "" @@ -326,7 +337,7 @@ class StorageSettings(BaseSettings): "credentials": { "access_key": self.AWS_ACCESS_KEY_ID, "secret_key": self.AWS_SECRET_ACCESS_KEY, - } + }, } return {} ``` @@ -346,20 +357,22 @@ class AuthSettings(BaseSettings): REFRESH_TOKEN_EXPIRE: int = 7200 PASSWORD_MIN_LENGTH: int = 8 -# Notification service settings + +# Notification service settings class NotificationSettings(BaseSettings): EMAIL_ENABLED: bool = False SMS_ENABLED: bool = False PUSH_ENABLED: bool = False - + # Email settings SMTP_HOST: str = "" SMTP_PORT: int = 587 - + # SMS settings (example with Twilio) TWILIO_ACCOUNT_SID: str = "" TWILIO_AUTH_TOKEN: str = "" + # Main settings class Settings( AppSettings, @@ -379,24 +392,28 @@ class BaseAppSettings(BaseSettings): APP_NAME: str = "FastAPI App" DEBUG: bool = False + class DevelopmentSettings(BaseAppSettings): DEBUG: bool = True LOG_LEVEL: str = "DEBUG" DATABASE_ECHO: bool = True + class ProductionSettings(BaseAppSettings): DEBUG: bool = False LOG_LEVEL: str = "WARNING" DATABASE_ECHO: bool = False + def get_settings() -> BaseAppSettings: environment = os.getenv("ENVIRONMENT", "local") - + if environment == "production": return ProductionSettings() else: return DevelopmentSettings() + settings = get_settings() ``` @@ -414,7 +431,7 @@ class MinimalSettings( CryptSettings, FirstUserSettings, # Removed: RedisCacheSettings - # Removed: RedisQueueSettings + # Removed: RedisQueueSettings # Removed: RedisRateLimiterSettings EnvironmentSettings, ): @@ -431,6 +448,7 @@ class ServiceSettings(BaseSettings): ENABLE_CELERY: bool = True ENABLE_MONITORING: bool = False + class ConditionalSettings( AppSettings, PostgresSettings, @@ -440,14 +458,10 @@ class ConditionalSettings( # Add Redis settings only if enabled def __init__(self, **kwargs): super().__init__(**kwargs) - + if self.ENABLE_REDIS: # Dynamically add Redis settings - self.__class__ = type( - "ConditionalSettings", - (self.__class__, RedisCacheSettings), - {} - ) + self.__class__ = type("ConditionalSettings", (self.__class__, RedisCacheSettings), {}) ``` ## Testing Settings @@ -460,18 +474,19 @@ Create separate settings for testing: class TestSettings(BaseSettings): # Override database for testing POSTGRES_DB: str = "test_database" - + # Disable external services ENABLE_REDIS: bool = False ENABLE_EMAIL: bool = False - + # Speed up tests ACCESS_TOKEN_EXPIRE_MINUTES: int = 5 - + # Test-specific settings TEST_USER_EMAIL: str = "test@example.com" TEST_USER_PASSWORD: str = "testpassword123" + # Use in tests @pytest.fixture def test_settings(): @@ -485,25 +500,22 @@ Test your custom settings: ```python def test_custom_settings_validation(): # Test valid configuration - settings = CustomSettings( - CUSTOM_API_KEY="test-key", - CUSTOM_TIMEOUT=60, - MAX_UPLOAD_SIZE=5242880 # 5MB - ) + settings = CustomSettings(CUSTOM_API_KEY="test-key", CUSTOM_TIMEOUT=60, MAX_UPLOAD_SIZE=5242880) # 5MB assert settings.CUSTOM_TIMEOUT == 60 # Test validation error with pytest.raises(ValueError, match="MAX_UPLOAD_SIZE cannot exceed 100MB"): CustomSettings(MAX_UPLOAD_SIZE=209715200) # 200MB + def test_settings_computed_fields(): settings = StorageSettings( STORAGE_TYPE="s3", AWS_ACCESS_KEY_ID="test-key", AWS_SECRET_ACCESS_KEY="test-secret", - AWS_BUCKET_NAME="test-bucket" + AWS_BUCKET_NAME="test-bucket", ) - + assert settings.STORAGE_ENABLED is True assert settings.STORAGE_CONFIG["bucket"] == "test-bucket" ``` @@ -511,27 +523,31 @@ def test_settings_computed_fields(): ## Best Practices ### Organization + - Group related settings in dedicated classes - Use descriptive names for settings groups - Keep validation logic close to the settings - Document complex validation rules ### Security + - Validate sensitive settings like secret keys - Never set default values for secrets in production - Use computed fields to derive connection strings - Separate test and production configurations ### Performance + - Use `@computed_field` for expensive calculations - Cache settings instances appropriately - Avoid complex validation in hot paths - Use model validators for cross-field validation ### Testing + - Create separate test settings classes - Test all validation rules - Mock external service settings in tests - Use dependency injection for settings in tests -The settings system provides type safety, validation, and organization for your application configuration. Start with the built-in settings and extend them as your application grows! \ No newline at end of file +The settings system provides type safety, validation, and organization for your application configuration. Start with the built-in settings and extend them as your application grows! diff --git a/src/app/core/config.py b/src/app/core/config.py index bf097ecc..8804c369 100644 --- a/src/app/core/config.py +++ b/src/app/core/config.py @@ -1,7 +1,7 @@ import os from enum import Enum -from pydantic import SecretStr +from pydantic import SecretStr, computed_field from pydantic_settings import BaseSettings from starlette.config import Config @@ -67,7 +67,8 @@ class FirstUserSettings(BaseSettings): ADMIN_PASSWORD: str = config("ADMIN_PASSWORD", default="!Ch4ng3Th1sP4ssW0rd!") -class TestSettings(BaseSettings): ... +class TestSettings(BaseSettings): + ... class RedisCacheSettings(BaseSettings): @@ -127,6 +128,14 @@ class EnvironmentSettings(BaseSettings): ENVIRONMENT: EnvironmentOption = config("ENVIRONMENT", default=EnvironmentOption.LOCAL) +class CORSSettings(BaseSettings): + CORS_ORIGINS_STR: str = config("CORS_ORIGINS", default="*") + + @computed_field + def CORS_ORIGINS(self) -> list[str]: + return [origin.strip() for origin in self.CORS_ORIGINS_STR.split(",") if origin.strip()] + + class Settings( AppSettings, SQLiteSettings, @@ -141,6 +150,7 @@ class Settings( DefaultRateLimitSettings, CRUDAdminSettings, EnvironmentSettings, + CORSSettings, ): pass diff --git a/src/app/core/setup.py b/src/app/core/setup.py index 8e6bb81c..0e2b7f95 100644 --- a/src/app/core/setup.py +++ b/src/app/core/setup.py @@ -8,6 +8,7 @@ from arq import create_pool from arq.connections import RedisSettings from fastapi import APIRouter, Depends, FastAPI +from fastapi.middleware.cors import CORSMiddleware from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html from fastapi.openapi.utils import get_openapi @@ -18,6 +19,7 @@ from .config import ( AppSettings, ClientSideCacheSettings, + CORSSettings, DatabaseSettings, EnvironmentOption, EnvironmentSettings, @@ -80,6 +82,7 @@ def lifespan_factory( | RedisCacheSettings | AppSettings | ClientSideCacheSettings + | CORSSettings | RedisQueueSettings | RedisRateLimiterSettings | EnvironmentSettings @@ -135,6 +138,7 @@ def create_application( | RedisCacheSettings | AppSettings | ClientSideCacheSettings + | CORSSettings | RedisQueueSettings | RedisRateLimiterSettings | EnvironmentSettings @@ -161,6 +165,7 @@ def create_application( - DatabaseSettings: Adds event handlers for initializing database tables during startup. - RedisCacheSettings: Sets up event handlers for creating and closing a Redis cache pool. - ClientSideCacheSettings: Integrates middleware for client-side caching. + - CORSSettings: Integrates CORS middleware with specified origins. - RedisQueueSettings: Sets up event handlers for creating and closing a Redis queue pool. - RedisRateLimiterSettings: Sets up event handlers for creating and closing a Redis rate limiter pool. - EnvironmentSettings: Conditionally sets documentation URLs and integrates custom routes for API documentation @@ -206,6 +211,15 @@ def create_application( if isinstance(settings, ClientSideCacheSettings): application.add_middleware(ClientCacheMiddleware, max_age=settings.CLIENT_CACHE_MAX_AGE) + if isinstance(settings, CORSSettings): + application.add_middleware( + CORSMiddleware, + allow_origins=settings.CORS_ORIGINS, + allow_credentials=True, + allow_methods=["*"], + allow_headers=["*"], + ) + if isinstance(settings, EnvironmentSettings): if settings.ENVIRONMENT != EnvironmentOption.PRODUCTION: docs_router = APIRouter() From 77d09fec51b0d3cd137ee3f8814370fe489f4c42 Mon Sep 17 00:00:00 2001 From: Rodrigo Agundez Date: Wed, 22 Oct 2025 23:40:02 +0800 Subject: [PATCH 2/3] Add CORS methods and headers to settings and use them in middleware --- docs/user-guide/authentication/jwt-tokens.md | 209 +++++++----------- .../configuration/environment-specific.md | 89 ++++---- .../configuration/environment-variables.md | 2 +- src/app/core/config.py | 16 +- src/app/core/setup.py | 4 +- 5 files changed, 137 insertions(+), 183 deletions(-) diff --git a/docs/user-guide/authentication/jwt-tokens.md b/docs/user-guide/authentication/jwt-tokens.md index 1b4d30c5..4e5490bb 100644 --- a/docs/user-guide/authentication/jwt-tokens.md +++ b/docs/user-guide/authentication/jwt-tokens.md @@ -21,6 +21,7 @@ JWT tokens are self-contained, digitally signed packages of information that can The authentication system uses a **dual-token approach** for maximum security and user experience: ### Access Tokens + Access tokens are short-lived credentials that prove a user's identity for API requests. Think of them as temporary keys that grant access to protected resources. - **Purpose**: Authenticate API requests and authorize actions @@ -31,6 +32,7 @@ Access tokens are short-lived credentials that prove a user's identity for API r **Why Short-Lived?** If an access token is stolen (e.g., through XSS), the damage window is limited to 30 minutes before it expires naturally. ### Refresh Tokens + Refresh tokens are longer-lived credentials used solely to generate new access tokens. They provide a balance between security and user convenience. - **Purpose**: Generate new access tokens without requiring re-login @@ -57,13 +59,11 @@ access_token = await create_access_token(data={"sub": username}) # Custom expiration for special cases (e.g., admin sessions) custom_expires = timedelta(minutes=60) -access_token = await create_access_token( - data={"sub": username}, - expires_delta=custom_expires -) +access_token = await create_access_token(data={"sub": username}, expires_delta=custom_expires) ``` **When to Customize Expiration:** + - **High-security environments**: Shorter expiration (15 minutes) - **Development/testing**: Longer expiration for convenience - **Admin operations**: Variable expiration based on sensitivity @@ -80,10 +80,7 @@ refresh_token = await create_refresh_token(data={"sub": username}) # Extended refresh token for "remember me" functionality extended_expires = timedelta(days=30) -refresh_token = await create_refresh_token( - data={"sub": username}, - expires_delta=extended_expires -) +refresh_token = await create_refresh_token(data={"sub": username}, expires_delta=extended_expires) ``` ### Token Structure @@ -93,22 +90,23 @@ JWT tokens consist of three parts separated by dots: `header.payload.signature`. ```python # Access token payload structure { - "sub": "username", # Subject (user identifier) - "exp": 1234567890, # Expiration timestamp (Unix) - "token_type": "access", # Distinguishes from refresh tokens - "iat": 1234567890 # Issued at (automatic) + "sub": "username", # Subject (user identifier) + "exp": 1234567890, # Expiration timestamp (Unix) + "token_type": "access", # Distinguishes from refresh tokens + "iat": 1234567890, # Issued at (automatic) } # Refresh token payload structure { - "sub": "username", # Same user identifier - "exp": 1234567890, # Longer expiration time - "token_type": "refresh", # Prevents confusion/misuse - "iat": 1234567890 # Issue timestamp + "sub": "username", # Same user identifier + "exp": 1234567890, # Longer expiration time + "token_type": "refresh", # Prevents confusion/misuse + "iat": 1234567890, # Issue timestamp } ``` **Key Fields Explained:** + - **`sub` (Subject)**: Identifies the user - can be username, email, or user ID - **`exp` (Expiration)**: Unix timestamp when token becomes invalid - **`token_type`**: Custom field preventing tokens from being used incorrectly @@ -144,9 +142,7 @@ Refresh token verification follows the same process but with different validatio token_data = await verify_token(token, TokenType.REFRESH, db) if token_data: # Generate new access token - new_access_token = await create_access_token( - data={"sub": token_data.username_or_email} - ) + new_access_token = await create_access_token(data={"sub": token_data.username_or_email}) return {"access_token": new_access_token, "token_type": "bearer"} else: # Refresh token invalid - user must log in again @@ -163,22 +159,22 @@ async def verify_token(token: str, expected_token_type: TokenType, db: AsyncSess is_blacklisted = await crud_token_blacklist.exists(db, token=token) if is_blacklisted: return None - + try: # 2. Verify signature and decode payload payload = jwt.decode(token, SECRET_KEY.get_secret_value(), algorithms=[ALGORITHM]) - + # 3. Extract and validate claims username_or_email: str | None = payload.get("sub") token_type: str | None = payload.get("token_type") - + # 4. Ensure token type matches expectation if username_or_email is None or token_type != expected_token_type: return None - + # 5. Return validated data return TokenData(username_or_email=username_or_email) - + except JWTError: # Token is malformed, expired, or signature invalid return None @@ -187,10 +183,10 @@ async def verify_token(token: str, expected_token_type: TokenType, db: AsyncSess **Security Checks Explained:** 1. **Blacklist Check**: Prevents use of tokens from logged-out users -2. **Signature Verification**: Ensures token hasn't been tampered with -3. **Expiration Check**: Automatically handled by JWT library -4. **Type Validation**: Prevents refresh tokens from being used as access tokens -5. **Subject Validation**: Ensures token contains valid user identifier +1. **Signature Verification**: Ensures token hasn't been tampered with +1. **Expiration Check**: Automatically handled by JWT library +1. **Type Validation**: Prevents refresh tokens from being used as access tokens +1. **Subject Validation**: Ensures token contains valid user identifier ## Client-Side Authentication Flow @@ -199,6 +195,7 @@ Understanding the complete authentication flow helps frontend developers integra ### Recommended Client Flow **1. Login Process** + ```javascript // Send credentials to login endpoint const response = await fetch('/api/v1/login', { @@ -215,6 +212,7 @@ sessionStorage.setItem('access_token', access_token); ``` **2. Making Authenticated Requests** + ```javascript // Include access token in Authorization header const response = await fetch('/api/v1/protected-endpoint', { @@ -226,6 +224,7 @@ const response = await fetch('/api/v1/protected-endpoint', { ``` **3. Handling Token Expiration** + ```javascript // Automatic token refresh on 401 errors async function apiCall(url, options = {}) { @@ -237,18 +236,18 @@ async function apiCall(url, options = {}) { }, credentials: 'include' }); - + // If token expired, try to refresh if (response.status === 401) { const refreshResponse = await fetch('/api/v1/refresh', { method: 'POST', credentials: 'include' // Sends refresh token cookie }); - + if (refreshResponse.ok) { const { access_token } = await refreshResponse.json(); sessionStorage.setItem('access_token', access_token); - + // Retry original request response = await fetch(url, { ...options, @@ -263,12 +262,13 @@ async function apiCall(url, options = {}) { window.location.href = '/login'; } } - + return response; } ``` **4. Logout Process** + ```javascript // Clear tokens and call logout endpoint await fetch('/api/v1/logout', { @@ -288,10 +288,10 @@ The refresh token cookie is configured for maximum security: response.set_cookie( key="refresh_token", value=refresh_token, - httponly=True, # Prevents JavaScript access (XSS protection) - secure=True, # HTTPS only in production - samesite="Lax", # CSRF protection with good usability - max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60 + httponly=True, # Prevents JavaScript access (XSS protection) + secure=True, # HTTPS only in production + samesite="Lax", # CSRF protection with good usability + max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60, ) ``` @@ -317,14 +317,15 @@ The system uses a database table to track invalidated tokens: # models/token_blacklist.py class TokenBlacklist(Base): __tablename__ = "token_blacklist" - + id: Mapped[int] = mapped_column(primary_key=True) token: Mapped[str] = mapped_column(unique=True, index=True) # Full token string - expires_at: Mapped[datetime] = mapped_column() # When to clean up + expires_at: Mapped[datetime] = mapped_column() # When to clean up created_at: Mapped[datetime] = mapped_column(default=datetime.utcnow) ``` **Design Considerations:** + - **Unique constraint**: Prevents duplicate entries - **Index on token**: Fast lookup during verification - **Expires_at field**: Enables automatic cleanup of old entries @@ -352,16 +353,13 @@ async def blacklist_token(token: str, db: AsyncSession) -> None: # 1. Decode token to extract expiration (no verification needed) payload = jwt.decode(token, SECRET_KEY.get_secret_value(), algorithms=[ALGORITHM]) exp_timestamp = payload.get("exp") - + if exp_timestamp is not None: # 2. Convert Unix timestamp to datetime expires_at = datetime.fromtimestamp(exp_timestamp) - + # 3. Store in blacklist with expiration - await crud_token_blacklist.create( - db, - object=TokenBlacklistCreate(token=token, expires_at=expires_at) - ) + await crud_token_blacklist.create(db, object=TokenBlacklistCreate(token=token, expires_at=expires_at)) ``` **Cleanup Strategy**: Blacklisted tokens can be automatically removed from the database after their natural expiration time, preventing unlimited database growth. @@ -378,24 +376,17 @@ async def login_for_access_token( db: Annotated[AsyncSession, Depends(async_get_db)], ) -> dict[str, str]: # 1. Authenticate user - user = await authenticate_user( - username_or_email=form_data.username, - password=form_data.password, - db=db - ) - + user = await authenticate_user(username_or_email=form_data.username, password=form_data.password, db=db) + if not user: - raise HTTPException( - status_code=401, - detail="Incorrect username or password" - ) - + raise HTTPException(status_code=401, detail="Incorrect username or password") + # 2. Create access token access_token = await create_access_token(data={"sub": user["username"]}) - + # 3. Create refresh token refresh_token = await create_refresh_token(data={"sub": user["username"]}) - + # 4. Set refresh token as HTTP-only cookie response.set_cookie( key="refresh_token", @@ -403,9 +394,9 @@ async def login_for_access_token( httponly=True, secure=True, samesite="strict", - max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60 + max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60, ) - + return {"access_token": access_token, "token_type": "bearer"} ``` @@ -414,31 +405,25 @@ async def login_for_access_token( ```python @router.post("/refresh", response_model=Token) async def refresh_access_token( - response: Response, - db: Annotated[AsyncSession, Depends(async_get_db)], - refresh_token: str = Cookie(None) + response: Response, db: Annotated[AsyncSession, Depends(async_get_db)], refresh_token: str = Cookie(None) ) -> dict[str, str]: if not refresh_token: raise HTTPException(status_code=401, detail="Refresh token missing") - + # 1. Verify refresh token token_data = await verify_token(refresh_token, TokenType.REFRESH, db) if not token_data: raise HTTPException(status_code=401, detail="Invalid refresh token") - + # 2. Create new access token - new_access_token = await create_access_token( - data={"sub": token_data.username_or_email} - ) - + new_access_token = await create_access_token(data={"sub": token_data.username_or_email}) + # 3. Optionally create new refresh token (token rotation) - new_refresh_token = await create_refresh_token( - data={"sub": token_data.username_or_email} - ) - + new_refresh_token = await create_refresh_token(data={"sub": token_data.username_or_email}) + # 4. Blacklist old refresh token await blacklist_token(refresh_token, db) - + # 5. Set new refresh token cookie response.set_cookie( key="refresh_token", @@ -446,9 +431,9 @@ async def refresh_access_token( httponly=True, secure=True, samesite="strict", - max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60 + max_age=REFRESH_TOKEN_EXPIRE_DAYS * 24 * 60 * 60, ) - + return {"access_token": new_access_token, "token_type": "bearer"} ``` @@ -461,23 +446,18 @@ async def logout( db: Annotated[AsyncSession, Depends(async_get_db)], current_user: dict = Depends(get_current_user), token: str = Depends(oauth2_scheme), - refresh_token: str = Cookie(None) + refresh_token: str = Cookie(None), ) -> dict[str, str]: # 1. Blacklist access token await blacklist_token(token, db) - + # 2. Blacklist refresh token if present if refresh_token: await blacklist_token(refresh_token, db) - + # 3. Clear refresh token cookie - response.delete_cookie( - key="refresh_token", - httponly=True, - secure=True, - samesite="strict" - ) - + response.delete_cookie(key="refresh_token", httponly=True, secure=True, samesite="strict") + return {"message": "Successfully logged out"} ``` @@ -486,25 +466,18 @@ async def logout( ### get_current_user ```python -async def get_current_user( - db: AsyncSession = Depends(async_get_db), - token: str = Depends(oauth2_scheme) -) -> dict: +async def get_current_user(db: AsyncSession = Depends(async_get_db), token: str = Depends(oauth2_scheme)) -> dict: # 1. Verify token token_data = await verify_token(token, TokenType.ACCESS, db) if not token_data: raise HTTPException(status_code=401, detail="Invalid token") - + # 2. Get user from database - user = await crud_users.get( - db=db, - username=token_data.username_or_email, - schema_to_select=UserRead - ) - + user = await crud_users.get(db=db, username=token_data.username_or_email, schema_to_select=UserRead) + if user is None: raise HTTPException(status_code=401, detail="User not found") - + return user ``` @@ -512,12 +485,11 @@ async def get_current_user( ```python async def get_optional_user( - db: AsyncSession = Depends(async_get_db), - token: str = Depends(optional_oauth2_scheme) + db: AsyncSession = Depends(async_get_db), token: str = Depends(optional_oauth2_scheme) ) -> dict | None: if not token: return None - + try: return await get_current_user(db=db, token=token) except HTTPException: @@ -527,14 +499,9 @@ async def get_optional_user( ### get_current_superuser ```python -async def get_current_superuser( - current_user: dict = Depends(get_current_user) -) -> dict: +async def get_current_superuser(current_user: dict = Depends(get_current_user)) -> dict: if not current_user.get("is_superuser", False): - raise HTTPException( - status_code=403, - detail="Not enough permissions" - ) + raise HTTPException(status_code=403, detail="Not enough permissions") return current_user ``` @@ -551,7 +518,7 @@ REFRESH_TOKEN_EXPIRE_DAYS=7 # Security Headers SECURE_COOKIES=true -CORS_ORIGINS=["http://localhost:3000", "https://yourapp.com"] +CORS_ORIGINS="http://localhost:3000,https://yourapp.com" ``` ### Security Configuration @@ -563,7 +530,7 @@ class Settings(BaseSettings): ALGORITHM: str = "HS256" ACCESS_TOKEN_EXPIRE_MINUTES: int = 30 REFRESH_TOKEN_EXPIRE_DAYS: int = 7 - + # Cookie settings SECURE_COOKIES: bool = True COOKIE_DOMAIN: str | None = None @@ -600,18 +567,15 @@ class Settings(BaseSettings): For service-to-service communication: ```python -async def get_api_key_user( - api_key: str = Header(None), - db: AsyncSession = Depends(async_get_db) -) -> dict: +async def get_api_key_user(api_key: str = Header(None), db: AsyncSession = Depends(async_get_db)) -> dict: if not api_key: raise HTTPException(status_code=401, detail="API key required") - + # Verify API key user = await crud_users.get(db=db, api_key=api_key) if not user: raise HTTPException(status_code=401, detail="Invalid API key") - + return user ``` @@ -619,9 +583,7 @@ async def get_api_key_user( ```python async def get_authenticated_user( - db: AsyncSession = Depends(async_get_db), - token: str = Depends(optional_oauth2_scheme), - api_key: str = Header(None) + db: AsyncSession = Depends(async_get_db), token: str = Depends(optional_oauth2_scheme), api_key: str = Header(None) ) -> dict: # Try JWT token first if token: @@ -629,11 +591,11 @@ async def get_authenticated_user( return await get_current_user(db=db, token=token) except HTTPException: pass - + # Fall back to API key if api_key: return await get_api_key_user(api_key=api_key, db=db) - + raise HTTPException(status_code=401, detail="Authentication required") ``` @@ -651,6 +613,7 @@ async def get_authenticated_user( ```python # Enable debug logging import logging + logging.getLogger("app.core.security").setLevel(logging.DEBUG) # Test token validation @@ -658,12 +621,12 @@ async def debug_token(token: str, db: AsyncSession): try: payload = jwt.decode(token, SECRET_KEY.get_secret_value(), algorithms=[ALGORITHM]) print(f"Token payload: {payload}") - + is_blacklisted = await crud_token_blacklist.exists(db, token=token) print(f"Is blacklisted: {is_blacklisted}") - + except JWTError as e: print(f"JWT Error: {e}") ``` -This comprehensive JWT implementation provides secure, scalable authentication for your FastAPI application. \ No newline at end of file +This comprehensive JWT implementation provides secure, scalable authentication for your FastAPI application. diff --git a/docs/user-guide/configuration/environment-specific.md b/docs/user-guide/configuration/environment-specific.md index d544cbbd..eba0bab2 100644 --- a/docs/user-guide/configuration/environment-specific.md +++ b/docs/user-guide/configuration/environment-specific.md @@ -7,7 +7,7 @@ Learn how to configure your FastAPI application for different environments (deve The boilerplate supports three environment types: - **`local`** - Development environment with full debugging -- **`staging`** - Pre-production testing environment +- **`staging`** - Pre-production testing environment - **`production`** - Production environment with security hardening Set the environment type with: @@ -38,7 +38,7 @@ POSTGRES_SERVER="localhost" POSTGRES_PORT=5432 POSTGRES_DB="myapp_dev" -# ------------- crypt ------------- +# ------------- security ------------- SECRET_KEY="dev-secret-key-not-for-production-use" ALGORITHM="HS256" ACCESS_TOKEN_EXPIRE_MINUTES=60 # Longer for development @@ -77,15 +77,6 @@ DATABASE_ECHO=true # Log all SQL queries ```python # Development-specific features if settings.ENVIRONMENT == "local": - # Enable detailed error pages - app.add_middleware( - CORSMiddleware, - allow_origins=["*"], # Allow all origins in development - allow_credentials=True, - allow_methods=["*"], - allow_headers=["*"], - ) - # Enable API documentation app.openapi_url = "/openapi.json" app.docs_url = "/docs" @@ -152,11 +143,13 @@ POSTGRES_SERVER="staging-db.example.com" POSTGRES_PORT=5432 POSTGRES_DB="myapp_staging" -# ------------- crypt ------------- +# ------------- security ------------- SECRET_KEY="staging-secret-key-different-from-production" ALGORITHM="HS256" ACCESS_TOKEN_EXPIRE_MINUTES=30 REFRESH_TOKEN_EXPIRE_DAYS=7 +CORS_ORIGINS="https://staging.example.com" +CORS_METHODS="GET,POST,PUT,DELETE" # ------------- redis ------------- REDIS_CACHE_HOST="staging-redis.example.com" @@ -191,15 +184,6 @@ DATABASE_ECHO=false ```python # Staging-specific features if settings.ENVIRONMENT == "staging": - # Restricted CORS - app.add_middleware( - CORSMiddleware, - allow_origins=["https://staging.example.com"], - allow_credentials=True, - allow_methods=["GET", "POST", "PUT", "DELETE"], - allow_headers=["*"], - ) - # API docs available to superusers only @app.get("/docs", include_in_schema=False) async def custom_swagger_ui(current_user: User = Depends(get_current_superuser)): @@ -270,11 +254,14 @@ POSTGRES_SERVER="prod-db.example.com" POSTGRES_PORT=5433 # Custom port for security POSTGRES_DB="myapp_production" -# ------------- crypt ------------- +# ------------- security ------------- SECRET_KEY="ultra-secure-production-key-generated-with-openssl-rand-hex-32" ALGORITHM="HS256" ACCESS_TOKEN_EXPIRE_MINUTES=15 # Shorter for security REFRESH_TOKEN_EXPIRE_DAYS=3 # Shorter for security +CORS_ORIGINS="https://example.com,https://www.example.com" +CORS_METHODS="GET,POST,PUT,DELETE" +CORS_HEADERS="Authorization,Content-Type" # ------------- redis ------------- REDIS_CACHE_HOST="prod-redis.example.com" @@ -309,20 +296,11 @@ DATABASE_ECHO=false ```python # Production-specific features if settings.ENVIRONMENT == "production": - # Strict CORS - app.add_middleware( - CORSMiddleware, - allow_origins=["https://example.com", "https://www.example.com"], - allow_credentials=True, - allow_methods=["GET", "POST", "PUT", "DELETE"], - allow_headers=["Authorization", "Content-Type"], - ) - # Disable API documentation app.openapi_url = None app.docs_url = None app.redoc_url = None - + # Add security headers @app.middleware("http") async def add_security_headers(request: Request, call_next): @@ -423,17 +401,18 @@ class Settings(BaseSettings): @property def IS_DEVELOPMENT(self) -> bool: return self.ENVIRONMENT == "local" - + @computed_field @property def IS_PRODUCTION(self) -> bool: return self.ENVIRONMENT == "production" - + @computed_field @property def IS_STAGING(self) -> bool: return self.ENVIRONMENT == "staging" + # Use in application if settings.IS_DEVELOPMENT: # Development-only code @@ -457,12 +436,12 @@ def validate_environment_config(self) -> "Settings": raise ValueError("SECRET_KEY must be at least 32 characters in production") if "dev" in self.SECRET_KEY.lower(): raise ValueError("Production SECRET_KEY cannot contain 'dev'") - + if self.ENVIRONMENT == "local": # Development warnings if not self.DEBUG: logger.warning("DEBUG is False in development environment") - + return self ``` @@ -492,21 +471,22 @@ import asyncio from src.app.core.config import settings from src.app.core.db.database import async_get_db + async def validate_configuration(): """Validate configuration for current environment.""" print(f"Validating configuration for {settings.ENVIRONMENT} environment...") - + # Basic settings validation assert settings.APP_NAME, "APP_NAME is required" assert settings.SECRET_KEY, "SECRET_KEY is required" assert len(settings.SECRET_KEY) >= 32, "SECRET_KEY must be at least 32 characters" - + # Environment-specific validation if settings.ENVIRONMENT == "production": assert not settings.DEBUG, "DEBUG must be False in production" assert "dev" not in settings.SECRET_KEY.lower(), "Production SECRET_KEY invalid" assert settings.POSTGRES_PORT != 5432, "Use custom PostgreSQL port in production" - + # Test database connection try: db = await anext(async_get_db()) @@ -515,10 +495,11 @@ async def validate_configuration(): except Exception as e: print(f"✗ Database connection failed: {e}") return False - + print("✓ Configuration validation passed") return True + if __name__ == "__main__": asyncio.run(validate_configuration()) ``` @@ -585,7 +566,7 @@ SECURITY_CONFIGS = { "enable_cors_origins": ["https://example.com"], "enable_docs": False, "log_level": "WARNING", - } + }, } config = SECURITY_CONFIGS[settings.ENVIRONMENT] @@ -628,7 +609,7 @@ LOGGING_CONFIG = { "handlers": ["console"], }, "staging": { - "level": "INFO", + "level": "INFO", "format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s", "handlers": ["console", "file"], }, @@ -636,7 +617,7 @@ LOGGING_CONFIG = { "level": "WARNING", "format": "%(asctime)s - %(name)s - %(levelname)s - %(funcName)s:%(lineno)d - %(message)s", "handlers": ["file", "syslog"], - } + }, } ``` @@ -650,21 +631,24 @@ async def health_check(): "environment": settings.ENVIRONMENT, "version": settings.APP_VERSION, } - + # Add detailed info in non-production if not settings.IS_PRODUCTION: - health_info.update({ - "database": await check_database_health(), - "redis": await check_redis_health(), - "worker_queue": await check_worker_health(), - }) - + health_info.update( + { + "database": await check_database_health(), + "redis": await check_redis_health(), + "worker_queue": await check_worker_health(), + } + ) + return health_info ``` ## Best Practices ### Security + - Use different secret keys for each environment - Disable debug mode in staging and production - Use custom ports in production @@ -672,21 +656,24 @@ async def health_check(): - Remove API documentation in production ### Performance + - Configure appropriate resource limits per environment - Use caching in staging and production - Set shorter token expiration in production - Use connection pooling in production ### Configuration + - Keep environment files in version control (except production) - Use validation to prevent misconfiguration - Document all environment-specific settings - Test configuration changes in staging first ### Monitoring + - Use appropriate log levels per environment - Monitor different metrics in each environment - Set up alerts for production only - Use health checks for all environments -Environment-specific configuration ensures your application runs securely and efficiently in each deployment stage. Start with development settings and progressively harden for production! \ No newline at end of file +Environment-specific configuration ensures your application runs securely and efficiently in each deployment stage. Start with development settings and progressively harden for production! diff --git a/docs/user-guide/configuration/environment-variables.md b/docs/user-guide/configuration/environment-variables.md index 3eaeb094..6da60d8a 100644 --- a/docs/user-guide/configuration/environment-variables.md +++ b/docs/user-guide/configuration/environment-variables.md @@ -364,7 +364,7 @@ def create_access_token(data: dict, expires_delta: timedelta = None): ### CORS Configuration -Configure Cross-Origin Resource Sharing in `src/app/main.py`: +Customize Cross-Origin Resource Sharing in `src/app/core/setup.py`: ```python app.add_middleware( diff --git a/src/app/core/config.py b/src/app/core/config.py index 8804c369..bce9b2bd 100644 --- a/src/app/core/config.py +++ b/src/app/core/config.py @@ -1,7 +1,7 @@ import os from enum import Enum -from pydantic import SecretStr, computed_field +from pydantic import SecretStr from pydantic_settings import BaseSettings from starlette.config import Config @@ -10,6 +10,12 @@ config = Config(env_path) +def str_setting_to_list(setting: str) -> list[str]: + if isinstance(setting, str): + return [item.strip() for item in setting.split(",") if item.strip()] + raise ValueError("Invalid string setting for list conversion.") + + class AppSettings(BaseSettings): APP_NAME: str = config("APP_NAME", default="FastAPI app") APP_DESCRIPTION: str | None = config("APP_DESCRIPTION", default=None) @@ -129,11 +135,9 @@ class EnvironmentSettings(BaseSettings): class CORSSettings(BaseSettings): - CORS_ORIGINS_STR: str = config("CORS_ORIGINS", default="*") - - @computed_field - def CORS_ORIGINS(self) -> list[str]: - return [origin.strip() for origin in self.CORS_ORIGINS_STR.split(",") if origin.strip()] + CORS_ORIGINS: list[str] = config("CORS_ORIGINS", cast=str_setting_to_list, default="*") + CORS_METHODS: list[str] = config("CORS_METHODS", cast=str_setting_to_list, default="*") + CORS_HEADERS: list[str] = config("CORS_HEADERS", cast=str_setting_to_list, default="*") class Settings( diff --git a/src/app/core/setup.py b/src/app/core/setup.py index 0e2b7f95..b2cdcbf7 100644 --- a/src/app/core/setup.py +++ b/src/app/core/setup.py @@ -216,8 +216,8 @@ def create_application( CORSMiddleware, allow_origins=settings.CORS_ORIGINS, allow_credentials=True, - allow_methods=["*"], - allow_headers=["*"], + allow_methods=settings.CORS_METHODS, + allow_headers=settings.CORS_HEADERS, ) if isinstance(settings, EnvironmentSettings): From c34cf1c3ad1e971831278897d43a966536c7a9cc Mon Sep 17 00:00:00 2001 From: LucasQR Date: Mon, 17 Nov 2025 16:41:21 -0300 Subject: [PATCH 3/3] making the requested changes --- README.md | 2223 +---------------- docs/getting-started/configuration.md | 19 + .../configuration/environment-variables.md | 34 + .../.env.example | 67 + .../Dockerfile | 27 + .../docker-compose.yml | 112 + scripts/local_with_uvicorn/.env.example | 72 + scripts/local_with_uvicorn/Dockerfile | 44 + scripts/local_with_uvicorn/docker-compose.yml | 112 + scripts/production_with_nginx/.env.example | 67 + scripts/production_with_nginx/Dockerfile | 27 + .../production_with_nginx/docker-compose.yml | 110 + 12 files changed, 804 insertions(+), 2110 deletions(-) create mode 100644 scripts/gunicorn_managing_uvicorn_workers/.env.example create mode 100644 scripts/gunicorn_managing_uvicorn_workers/Dockerfile create mode 100644 scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml create mode 100644 scripts/local_with_uvicorn/.env.example create mode 100644 scripts/local_with_uvicorn/Dockerfile create mode 100644 scripts/local_with_uvicorn/docker-compose.yml create mode 100644 scripts/production_with_nginx/.env.example create mode 100644 scripts/production_with_nginx/Dockerfile create mode 100644 scripts/production_with_nginx/docker-compose.yml diff --git a/README.md b/README.md index 4ff28bc8..b9b2ef1e 100644 --- a/README.md +++ b/README.md @@ -1,2201 +1,205 @@

Benav Labs FastAPI boilerplate

- Yet another template to speed your FastAPI development up. + Batteries-included FastAPI starter with production-ready defaults, optional modules, and clear docs.

- Purple Rocket with FastAPI Logo as its window. + Purple Rocket with FastAPI Logo as its window.

- - Python - +📚 Docs · 🧠 DeepWiki · 💬 Discord +

+ +

FastAPI - - Pydantic - PostgreSQL Redis - - Docker - - - NGINX - DeepWiki

-______________________________________________________________________ - -## 📖 Documentation - -📚 **[Visit our comprehensive documentation at benavlabs.github.io/FastAPI-boilerplate](https://benavlabs.github.io/FastAPI-boilerplate/)** - -🧠 **DeepWiki Docs: [deepwiki.com/benavlabs/FastAPI-boilerplate](https://deepwiki.com/benavlabs/FastAPI-boilerplate)** - -> **⚠️ Documentation Status** -> -> This is our first version of the documentation. While functional, we acknowledge it's rough around the edges - there's a huge amount to document and we needed to start somewhere! We built this foundation (with a lot of AI assistance) so we can improve upon it. -> -> Better documentation, examples, and guides are actively being developed. Contributions and feedback are greatly appreciated! - -This README provides a quick reference for LLMs and developers, but the full documentation contains detailed guides, examples, and best practices. - -______________________________________________________________________ - -## 0. About - -**FastAPI boilerplate** creates an extendable async API using FastAPI, Pydantic V2, SQLAlchemy 2.0 and PostgreSQL: - -- [`FastAPI`](https://fastapi.tiangolo.com): modern Python web framework for building APIs -- [`Pydantic V2`](https://docs.pydantic.dev/2.4/): the most widely used data Python validation library, rewritten in Rust [`(5x-50x faster)`](https://docs.pydantic.dev/latest/blog/pydantic-v2-alpha/) -- [`SQLAlchemy 2.0`](https://docs.sqlalchemy.org/en/20/changelog/whatsnew_20.html): Python SQL toolkit and Object Relational Mapper -- [`PostgreSQL`](https://www.postgresql.org): The World's Most Advanced Open Source Relational Database -- [`Redis`](https://redis.io): Open source, in-memory data store used by millions as a cache, message broker and more. -- [`ARQ`](https://arq-docs.helpmanual.io) Job queues and RPC in python with asyncio and redis. -- [`Docker Compose`](https://docs.docker.com/compose/) With a single command, create and start all the services from your configuration. -- [`NGINX`](https://nginx.org/en/) High-performance low resource consumption web server used for Reverse Proxy and Load Balancing. - -
- - fastroai-banner - -
- -## 🚀 Join Our Community - -💬 **[Join our Discord community](https://discord.com/invite/TEmPs22gqB)** - Connect with other developers using the FastAPI boilerplate! - -Our Discord server features: - -- **🤝 Networking** - Connect with fellow developers and share experiences -- **💡 Product Updates** - Stay updated with FastroAI and our other products -- **📸 Showcase** - Share what you've built using our tools -- **🗒️ Blog** - Latest blog posts and technical insights -- **💬 General Discussion** - Open space for questions and discussions -- **🎤 Community Voice** - Join live talks and community events - -Whether you're just getting started or building production applications, our community is here to help you succeed! - -## 1. Features - -- ⚡️ Fully async -- 🚀 Pydantic V2 and SQLAlchemy 2.0 -- 🔐 User authentication with JWT -- 🍪 Cookie based refresh token -- 🏬 Easy redis caching -- 👜 Easy client-side caching -- 🚦 ARQ integration for task queue -- ⚙️ Efficient and robust queries with fastcrud -- ⎘ Out of the box offset and cursor pagination support with fastcrud -- 🛑 Rate Limiter dependency -- 👮 FastAPI docs behind authentication and hidden based on the environment -- 🔧 Modern and light admin interface powered by [CRUDAdmin](https://github.com/benavlabs/crudadmin) -- 🚚 Easy running with docker compose -- ⚖️ NGINX Reverse Proxy and Load Balancing - -## 2. Contents - -0. [About](#0-about) -1. [Features](#1-features) -1. [Contents](#2-contents) -1. [Prerequisites](#3-prerequisites) - 1. [Environment Variables (.env)](#31-environment-variables-env) - 1. [Docker Compose](#32-docker-compose-preferred) - 1. [From Scratch](#33-from-scratch) -1. [Usage](#4-usage) - 1. [Docker Compose](#41-docker-compose) - 1. [From Scratch](#42-from-scratch) - 1. [Packages](#421-packages) - 1. [Running PostgreSQL With Docker](#422-running-postgresql-with-docker) - 1. [Running Redis with Docker](#423-running-redis-with-docker) - 1. [Running the API](#424-running-the-api) - 1. [Creating the first superuser](#43-creating-the-first-superuser) - 1. [Database Migrations](#44-database-migrations) -1. [Extending](#5-extending) - 1. [Project Structure](#51-project-structure) - 1. [Database Model](#52-database-model) - 1. [SQLAlchemy Models](#53-sqlalchemy-models) - 1. [Pydantic Schemas](#54-pydantic-schemas) - 1. [Alembic Migrations](#55-alembic-migrations) - 1. [CRUD](#56-crud) - 1. [Routes](#57-routes) - 1. [Paginated Responses](#571-paginated-responses) - 1. [HTTP Exceptions](#572-http-exceptions) - 1. [Caching](#58-caching) - 1. [More Advanced Caching](#59-more-advanced-caching) - 1. [ARQ Job Queues](#510-arq-job-queues) - 1. [Rate Limiting](#511-rate-limiting) - 1. [JWT Authentication](#512-jwt-authentication) - 1. [Admin Panel](#513-admin-panel) - 1. [Running](#514-running) - 1. [Create Application](#515-create-application) - 1. [Opting Out of Services](#516-opting-out-of-services) -1. [Running in Production](#6-running-in-production) - 1. [Uvicorn Workers with Gunicorn](#61-uvicorn-workers-with-gunicorn) - 1. [Running With NGINX](#62-running-with-nginx) - 1. [One Server](#621-one-server) - 1. [Multiple Servers](#622-multiple-servers) -1. [Testing](#7-testing) -1. [Contributing](#8-contributing) -1. [References](#9-references) -1. [License](#10-license) -1. [Contact](#11-contact) - -______________________________________________________________________ - -## 3. Prerequisites - -> 📖 **[See detailed installation guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/installation/)** - -### 3.0 Start - -Start by using the template, and naming the repository to what you want. - -

- clicking use this template button, then create a new repository option -

- -Then clone your created repository (I'm using the base for the example) - -```sh -git clone https://github.com/igormagalhaesr/FastAPI-boilerplate -``` - -> \[!TIP\] -> If you are in a hurry, you may use one of the following templates (containing a `.env`, `docker-compose.yml` and `Dockerfile`): - -- [Running locally with uvicorn](https://gist.github.com/igorbenav/48ad745120c3f77817e094f3a609111a) -- [Runing in staging with gunicorn managing uvicorn workers](https://gist.github.com/igorbenav/d0518d4f6bdfb426d4036090f74905ee) -- [Running in production with NGINX](https://gist.github.com/igorbenav/232c3b73339d6ca74e2bf179a5ef48a1) - -> \[!WARNING\] -> Do not forget to place `docker-compose.yml` and `Dockerfile` in the `root` folder, while `.env` should be in the `src` folder. - -### 3.1 Environment Variables (.env) - -> 📖 **[See complete configuration guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/configuration/)** - -Then create a `.env` file inside `src` directory: - -```sh -touch .env -``` - -Inside of `.env`, create the following app settings variables: - -``` -# ------------- app settings ------------- -APP_NAME="Your app name here" -APP_DESCRIPTION="Your app description here" -APP_VERSION="0.1" -CONTACT_NAME="Your name" -CONTACT_EMAIL="Your email" -LICENSE_NAME="The license you picked" -``` - -For the database ([`if you don't have a database yet, click here`](#422-running-postgresql-with-docker)), create: - -``` -# ------------- database ------------- -POSTGRES_USER="your_postgres_user" -POSTGRES_PASSWORD="your_password" -POSTGRES_SERVER="your_server" # default "localhost", if using docker compose you should use "db" -POSTGRES_PORT=5432 # default "5432", if using docker compose you should use "5432" -POSTGRES_DB="your_db" -``` - -For database administration using PGAdmin create the following variables in the .env file - -``` -# ------------- pgadmin ------------- -PGADMIN_DEFAULT_EMAIL="your_email_address" -PGADMIN_DEFAULT_PASSWORD="your_password" -PGADMIN_LISTEN_PORT=80 -``` - -To connect to the database, log into the PGAdmin console with the values specified in `PGADMIN_DEFAULT_EMAIL` and `PGADMIN_DEFAULT_PASSWORD`. - -Once in the main PGAdmin screen, click Add Server: +## Features -![pgadmin-connect](https://github.com/igorbenav/docs-images/blob/main/289698727-e15693b6-fae9-4ec6-a597-e70ab6f44133-3.png?raw=true) +* ⚡️ Fully async FastAPI + SQLAlchemy 2.0 +* 🧱 Pydantic v2 models & validation +* 🔐 JWT auth (access + refresh), cookies for refresh +* 👮 Rate limiter + tiers (free/pro/etc.) +* 🧰 FastCRUD for efficient CRUD & pagination +* 🧑‍💼 **CRUDAdmin**: minimal admin panel (optional) +* 🚦 ARQ background jobs (Redis) +* 🧊 Redis caching (server + client-side headers) +* 🌐 Configurable CORS middleware for frontend integration +* 🐳 One-command Docker Compose +* 🚀 NGINX & Gunicorn recipes for prod -1. Hostname/address is `db` (if using containers) -1. Is the value you specified in `POSTGRES_PORT` -1. Leave this value as `postgres` -1. is the value you specified in `POSTGRES_USER` -1. Is the value you specified in `POSTGRES_PASSWORD` +## Why and When to use it -For crypt: -Start by running +**Perfect if you want:** -```sh -openssl rand -hex 32 -``` - -And then create in `.env`: - -``` -# ------------- crypt ------------- -SECRET_KEY= # result of openssl rand -hex 32 -ALGORITHM= # pick an algorithm, default HS256 -ACCESS_TOKEN_EXPIRE_MINUTES= # minutes until token expires, default 30 -REFRESH_TOKEN_EXPIRE_DAYS= # days until token expires, default 7 -``` +* A pragmatic starter with auth, CRUD, jobs, caching and rate-limits +* **Sensible defaults** with the freedom to opt-out of modules +* **Docs over boilerplate** in README - depth lives in the site -Then for the first admin user: +> **Not a fit** if you need a monorepo microservices scaffold - [see the docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/project-structure/) for pointers. -``` -# ------------- admin ------------- -ADMIN_NAME="your_name" -ADMIN_EMAIL="your_email" -ADMIN_USERNAME="your_username" -ADMIN_PASSWORD="your_password" -``` +**What you get:** -For the CRUDAdmin panel: +* **App**: FastAPI app factory, [env-aware docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/development/) exposure +* **Auth**: [JWT access/refresh](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/authentication/), logout via token blacklist +* **DB**: Postgres + SQLAlchemy 2.0, [Alembic migrations](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/) +* **CRUD**: [FastCRUD generics](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/crud/) (get, get_multi, create, update, delete, joins) +* **Caching**: [decorator-based endpoints cache](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/caching/); client cache headers +* **Queues**: [ARQ worker](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/background-tasks/) (async jobs), Redis connection helpers +* **Rate limits**: [per-tier + per-path rules](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/rate-limiting/) +* **Admin**: [CRUDAdmin views](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/admin-panel/) for common models (optional) -``` -# ------------- crud admin ------------- -CRUD_ADMIN_ENABLED=true # default=true, set to false to disable admin panel -CRUD_ADMIN_MOUNT_PATH="/admin" # default="/admin", path where admin panel will be mounted - -# ------------- crud admin security ------------- -CRUD_ADMIN_MAX_SESSIONS=10 # default=10, maximum concurrent sessions per user -CRUD_ADMIN_SESSION_TIMEOUT=1440 # default=1440 (24 hours), session timeout in minutes -SESSION_SECURE_COOKIES=true # default=true, use secure cookies - -# ------------- crud admin tracking ------------- -CRUD_ADMIN_TRACK_EVENTS=true # default=true, track admin events -CRUD_ADMIN_TRACK_SESSIONS=true # default=true, track admin sessions in database - -# ------------- crud admin redis (optional for production) ------------- -CRUD_ADMIN_REDIS_ENABLED=false # default=false, use Redis for session storage -CRUD_ADMIN_REDIS_HOST="localhost" # default="localhost", Redis host for admin sessions -CRUD_ADMIN_REDIS_PORT=6379 # default=6379, Redis port for admin sessions -CRUD_ADMIN_REDIS_DB=0 # default=0, Redis database for admin sessions -CRUD_ADMIN_REDIS_PASSWORD="" # optional, Redis password for admin sessions -CRUD_ADMIN_REDIS_SSL=false # default=false, use SSL for Redis connection -``` +This is what we've been using in production apps. Several applications running in production started from this boilerplate as their foundation - from SaaS platforms to internal tools. It's proven, stable technology that works together reliably. Use this as the foundation for whatever you want to build on top. -**Session Backend Options:** +> **Building an AI SaaS?** Skip even more setup with [**FastroAI**](https://fastro.ai) - our production-ready template with AI integration, payments, and frontend included. -- **Memory** (default): Development-friendly, sessions reset on restart -- **Redis** (production): High performance, scalable, persistent sessions -- **Database**: Audit-friendly with admin visibility -- **Hybrid**: Redis performance + database audit trail +## TL;DR - Quickstart -For redis caching: +Use the template on GitHub, create your repo, then: -``` -# ------------- redis cache------------- -REDIS_CACHE_HOST="your_host" # default "localhost", if using docker compose you should use "redis" -REDIS_CACHE_PORT=6379 # default "6379", if using docker compose you should use "6379" +```bash +git clone https://github.com//FastAPI-boilerplate +cd FastAPI-boilerplate ``` -And for client-side caching: +**Quick setup:** Run the interactive setup script to choose your deployment configuration: -``` -# ------------- redis client-side cache ------------- -CLIENT_CACHE_MAX_AGE=30 # default "30" +```bash +./setup.py ``` -For ARQ Job Queues: +Or directly specify the deployment type: `./setup.py local`, `./setup.py staging`, or `./setup.py production`. -``` -# ------------- redis queue ------------- -REDIS_QUEUE_HOST="your_host" # default "localhost", if using docker compose you should use "redis" -REDIS_QUEUE_PORT=6379 # default "6379", if using docker compose you should use "6379" -``` +The script copies the right files for your deployment scenario. Here's what each option sets up: -> \[!WARNING\] -> You may use the same redis for both caching and queue while developing, but the recommendation is using two separate containers for production. +### Option 1: Local development with Uvicorn -To create the first tier: +Best for: **Development and testing** -``` -# ------------- first tier ------------- -TIER_NAME="free" -``` +**Copies:** -For the rate limiter: +- `scripts/local_with_uvicorn/Dockerfile` → `Dockerfile` +- `scripts/local_with_uvicorn/docker-compose.yml` → `docker-compose.yml` +- `scripts/local_with_uvicorn/.env.example` → `src/.env` -``` -# ------------- redis rate limit ------------- -REDIS_RATE_LIMIT_HOST="localhost" # default="localhost", if using docker compose you should use "redis" -REDIS_RATE_LIMIT_PORT=6379 # default=6379, if using docker compose you should use "6379" +Sets up Uvicorn with auto-reload enabled. The example environment values work fine for development. +**Manual setup:** `./setup.py local` or copy the files above manually. -# ------------- default rate limit settings ------------- -DEFAULT_RATE_LIMIT_LIMIT=10 # default=10 -DEFAULT_RATE_LIMIT_PERIOD=3600 # default=3600 -``` +### Option 2: Staging with Gunicorn managing Uvicorn workers -And Finally the environment: +Best for: **Staging environments and load testing** -``` -# ------------- environment ------------- -ENVIRONMENT="local" -``` +**Copies:** -`ENVIRONMENT` can be one of `local`, `staging` and `production`, defaults to local, and changes the behavior of api `docs` endpoints: +- `scripts/gunicorn_managing_uvicorn_workers/Dockerfile` → `Dockerfile` +- `scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml` → `docker-compose.yml` +- `scripts/gunicorn_managing_uvicorn_workers/.env.example` → `src/.env` -- **local:** `/docs`, `/redoc` and `/openapi.json` available -- **staging:** `/docs`, `/redoc` and `/openapi.json` available for superusers -- **production:** `/docs`, `/redoc` and `/openapi.json` not available +Sets up Gunicorn managing multiple Uvicorn workers for production-like performance testing. -### 3.2 Docker Compose (preferred) +> [!WARNING] +> Change `SECRET_KEY` and passwords in the `.env` file for staging environments. -To do it using docker compose, ensure you have docker and docker compose installed, then: -While in the base project directory (FastAPI-boilerplate here), run: +**Manual setup:** `./setup.py staging` or copy the files above manually. -```sh -docker compose up -``` +### Option 3: Production with NGINX -You should have a `web` container, `postgres` container, a `worker` container and a `redis` container running. -Then head to `http://127.0.0.1:8000/docs`. +Best for: **Production deployments** -### 3.3 From Scratch +**Copies:** -Install uv: +- `scripts/production_with_nginx/Dockerfile` → `Dockerfile` +- `scripts/production_with_nginx/docker-compose.yml` → `docker-compose.yml` +- `scripts/production_with_nginx/.env.example` → `src/.env` -```sh -pip install uv -``` +Sets up NGINX as reverse proxy with Gunicorn + Uvicorn workers for production. -## 4. Usage +> [!CAUTION] +> You MUST change `SECRET_KEY`, all passwords, and sensitive values in the `.env` file before deploying! -> 📖 **[See complete first run guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/first-run/)** +**Manual setup:** `./setup.py production` or copy the files above manually. -### 4.1 Docker Compose +--- -If you used docker compose, your setup is done. You just need to ensure that when you run (while in the base folder): +**Start your application:** -```sh +```bash docker compose up ``` -You get the following outputs (in addition to many other outputs): - -```sh -fastapi-boilerplate-worker-1 | ... redis_version=x.x.x mem_usage=999K clients_connected=1 db_keys=0 -... -fastapi-boilerplate-db-1 | ... [1] LOG: database system is ready to accept connections -... -fastapi-boilerplate-web-1 | INFO: Application startup complete. -``` - -So you may skip to [5. Extending](#5-extending). - -### 4.2 From Scratch - -#### 4.2.1. Packages - -In the `root` directory (`FastAPI-boilerplate` if you didn't change anything), run to install required packages: - -```sh -uv sync -``` - -Ensuring it ran without any problem. - -#### 4.2.2. Running PostgreSQL With Docker - -> \[!NOTE\] -> If you already have a PostgreSQL running, you may skip this step. - -Install docker if you don't have it yet, then run: - -```sh -docker pull postgres -``` - -And pick the port, name, user and password, replacing the fields: - -```sh -docker run -d \ - -p {PORT}:{PORT} \ - --name {NAME} \ - -e POSTGRES_PASSWORD={PASSWORD} \ - -e POSTGRES_USER={USER} \ - postgres -``` - -Such as: - -```sh -docker run -d \ - -p 5432:5432 \ - --name postgres \ - -e POSTGRES_PASSWORD=1234 \ - -e POSTGRES_USER=postgres \ - postgres -``` - -#### 4.2.3. Running redis With Docker - -> \[!NOTE\] -> If you already have a redis running, you may skip this step. - -Install docker if you don't have it yet, then run: - -```sh -docker pull redis:alpine -``` - -And pick the name and port, replacing the fields: - -```sh -docker run -d \ - --name {NAME} \ - -p {PORT}:{PORT} \ -redis:alpine -``` - -Such as - -```sh -docker run -d \ - --name redis \ - -p 6379:6379 \ -redis:alpine -``` - -#### 4.2.4. Running the API - -While in the `root` folder, run to start the application with uvicorn server: - -```sh -uv run uvicorn src.app.main:app --reload -``` - -> \[!TIP\] -> The --reload flag enables auto-reload once you change (and save) something in the project - -### 4.3 Creating the first superuser - -#### 4.3.1 Docker Compose - -> \[!WARNING\] -> Make sure DB and tables are created before running create_superuser (db should be running and the api should run at least once before) - -If you are using docker compose, you should uncomment this part of the docker-compose.yml: - -``` - #-------- uncomment to create first superuser -------- - # create_superuser: - # build: - # context: . - # dockerfile: Dockerfile - # env_file: - # - ./src/.env - # depends_on: - # - db - # command: python -m src.scripts.create_first_superuser - # volumes: - # - ./src:/code/src -``` - -Getting: - -``` - #-------- uncomment to create first superuser -------- - create_superuser: - build: - context: . - dockerfile: Dockerfile - env_file: - - ./src/.env - depends_on: - - db - command: python -m src.scripts.create_first_superuser - volumes: - - ./src:/code/src -``` - -While in the base project folder run to start the services: - -```sh -docker-compose up -d -``` - -It will automatically run the create_superuser script as well, but if you want to rerun eventually: - -```sh -docker-compose run --rm create_superuser -``` - -to stop the create_superuser service: - -```sh -docker-compose stop create_superuser -``` - -#### 4.3.2 From Scratch - -While in the `root` folder, run (after you started the application at least once to create the tables): - -```sh -uv run python -m src.scripts.create_first_superuser -``` - -### 4.3.3 Creating the first tier - -> \[!WARNING\] -> Make sure DB and tables are created before running create_tier (db should be running and the api should run at least once before) - -To create the first tier it's similar, you just replace `create_superuser` for `create_tier` service or `create_first_superuser` to `create_first_tier` for scripts. If using `docker compose`, do not forget to uncomment the `create_tier` service in `docker-compose.yml`. - -### 4.4 Database Migrations - -> \[!WARNING\] -> To create the tables if you did not create the endpoints, ensure that you import the models in src/app/models/__init__.py. This step is crucial to create the new tables. - -If you are using the db in docker, you need to change this in `docker-compose.yml` to run migrations: - -```sh - db: - image: postgres:13 - env_file: - - ./src/.env - volumes: - - postgres-data:/var/lib/postgresql/data - # -------- replace with comment to run migrations with docker -------- - expose: - - "5432" - # ports: - # - 5432:5432 -``` - -Getting: - -```sh - db: - ... - # expose: - # - "5432" - ports: - - 5432:5432 -``` - -While in the `src` folder, run Alembic migrations: - -```sh -uv run alembic revision --autogenerate -``` - -And to apply the migration - -```sh -uv run alembic upgrade head -``` - -> \[!NOTE\] -> If you do not have uv, you may run it without uv after running `pip install alembic` - -## 5. Extending - -> 📖 **[See comprehensive development guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/development/)** - -### 5.1 Project Structure - -> 📖 **[See detailed project structure guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/project-structure/)** - -First, you may want to take a look at the project structure and understand what each file is doing. - -```sh -. -├── Dockerfile # Dockerfile for building the application container. -├── docker-compose.yml # Docker Compose file for defining multi-container applications. -├── pyproject.toml # Project configuration file with metadata and dependencies (PEP 621). -├── uv.lock # uv lock file specifying exact versions of dependencies. -├── README.md # Project README providing information and instructions. -├── LICENSE.md # License file for the project. -│ -├── tests # Unit tests for the application. -│ ├──helpers # Helper functions for tests. -│ │ ├── generators.py # Helper functions for generating test data. -│ │ └── mocks.py # Mock functions for testing. -│ ├── __init__.py -│ ├── conftest.py # Configuration and fixtures for pytest. -│ └── test_user_unit.py # Unit test cases for user-related functionality. -│ -└── src # Source code directory. - ├── __init__.py # Initialization file for the src package. - ├── alembic.ini # Configuration file for Alembic (database migration tool). - │ - ├── app # Main application directory. - │ ├── __init__.py # Initialization file for the app package. - │ ├── main.py # Main entry point of the FastAPI application. - │ │ - │ │ - │ ├── api # Folder containing API-related logic. - │ │ ├── __init__.py - │ │ ├── dependencies.py # Defines dependencies for use across API endpoints. - │ │ │ - │ │ └── v1 # Version 1 of the API. - │ │ ├── __init__.py - │ │ ├── login.py # API route for user login. - │ │ ├── logout.py # API route for user logout. - │ │ ├── posts.py # API routes for post operations. - │ │ ├── rate_limits.py # API routes for rate limiting functionalities. - │ │ ├── tasks.py # API routes for task management. - │ │ ├── tiers.py # API routes for user tier functionalities. - │ │ └── users.py # API routes for user management. - │ │ - │ ├── core # Core utilities and configurations for the application. - │ │ ├── __init__.py - │ │ ├── config.py # Configuration settings for the application. - │ │ ├── logger.py # Configuration for application logging. - │ │ ├── schemas.py # Pydantic schemas for data validation. - │ │ ├── security.py # Security utilities, such as password hashing. - │ │ ├── setup.py # Setup file for the FastAPI app instance. - │ │ │ - │ │ ├── db # Core Database related modules. - │ │ │ ├── __init__.py - │ │ │ ├── crud_token_blacklist.py # CRUD operations for token blacklist. - │ │ │ ├── database.py # Database connectivity and session management. - │ │ │ ├── models.py # Core Database models. - │ │ │ └── token_blacklist.py # Model for token blacklist functionality. - │ │ │ - │ │ ├── exceptions # Custom exception classes. - │ │ │ ├── __init__.py - │ │ │ ├── cache_exceptions.py # Exceptions related to cache operations. - │ │ │ └── http_exceptions.py # HTTP-related exceptions. - │ │ │ - │ │ ├── utils # Utility functions and helpers. - │ │ │ ├── __init__.py - │ │ │ ├── cache.py # Cache-related utilities. - │ │ │ ├── queue.py # Utilities for task queue management. - │ │ │ └── rate_limit.py # Rate limiting utilities. - │ │ │ - │ │ └── worker # Worker script for background tasks. - │ │ ├── __init__.py - │ │ ├── settings.py # Worker configuration and settings. - │ │ └── functions.py # Async task definitions and management. - │ │ - │ ├── crud # CRUD operations for the application. - │ │ ├── __init__.py - │ │ ├── crud_base.py # Base class for CRUD operations. - │ │ ├── crud_posts.py # CRUD operations for posts. - │ │ ├── crud_rate_limit.py # CRUD operations for rate limiting. - │ │ ├── crud_tier.py # CRUD operations for user tiers. - │ │ ├── crud_users.py # CRUD operations for users. - │ │ └── helper.py # Helper functions for CRUD operations. - │ │ - │ ├── logs # Directory for log files. - │ │ └── app.log # Log file for the application. - │ │ - │ ├── middleware # Middleware components for the application. - │ │ └── client_cache_middleware.py # Middleware for client-side caching. - │ │ - │ ├── models # ORM models for the application. - │ │ ├── __init__.py - │ │ ├── post.py # ORM model for posts. - │ │ ├── rate_limit.py # ORM model for rate limiting. - │ │ ├── tier.py # ORM model for user tiers. - │ │ └── user.py # ORM model for users. - │ │ - │ └── schemas # Pydantic schemas for data validation. - │ ├── __init__.py - │ ├── job.py # Schema for background jobs. - │ ├── post.py # Schema for post data. - │ ├── rate_limit.py # Schema for rate limiting data. - │ ├── tier.py # Schema for user tier data. - │ └── user.py # Schema for user data. - │ - ├── migrations # Alembic migration scripts for database changes. - │ ├── README - │ ├── env.py # Environment configuration for Alembic. - │ ├── script.py.mako # Template script for Alembic migrations. - │ │ - │ └── versions # Individual migration scripts. - │ └── README.MD - │ - └── scripts # Utility scripts for the application. - ├── __init__.py - ├── create_first_superuser.py # Script to create the first superuser. - └── create_first_tier.py # Script to create the first user tier. -``` - -### 5.2 Database Model - -Create the new entities and relationships and add them to the model
-![diagram](https://user-images.githubusercontent.com/43156212/284426387-bdafc637-0473-4b71-890d-29e79da288cf.png) - -#### 5.2.1 Token Blacklist - -Note that this table is used to blacklist the `JWT` tokens (it's how you log a user out)
-![diagram](https://user-images.githubusercontent.com/43156212/284426382-b2f3c0ca-b8ea-4f20-b47e-de1bad2ca283.png) - -### 5.3 SQLAlchemy Models - -> 📖 **[See database models guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/models/)** - -Inside `app/models`, create a new `entity.py` for each new entity (replacing entity with the name) and define the attributes according to [SQLAlchemy 2.0 standards](https://docs.sqlalchemy.org/en/20/orm/mapping_styles.html#orm-mapping-styles): - -> \[!WARNING\] -> Note that since it inherits from `Base`, the new model is mapped as a python `dataclass`, so optional attributes (arguments with a default value) should be defined after required attributes. - -```python -from sqlalchemy import String, DateTime -from sqlalchemy.orm import Mapped, mapped_column, relationship - -from app.core.db.database import Base - - -class Entity(Base): - __tablename__ = "entity" - - id: Mapped[int] = mapped_column("id", autoincrement=True, nullable=False, unique=True, primary_key=True, init=False) - name: Mapped[str] = mapped_column(String(30)) - ... -``` - -### 5.4 Pydantic Schemas - -> 📖 **[See database schemas guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/schemas/)** - -Inside `app/schemas`, create a new `entity.py` for each new entity (replacing entity with the name) and create the schemas according to [Pydantic V2](https://docs.pydantic.dev/latest/#pydantic-examples) standards: - -```python -from typing import Annotated - -from pydantic import BaseModel, EmailStr, Field, HttpUrl, ConfigDict - - -class EntityBase(BaseModel): - name: Annotated[ - str, - Field(min_length=2, max_length=30, examples=["Entity Name"]), - ] - - -class Entity(EntityBase): - ... - - -class EntityRead(EntityBase): - ... - - -class EntityCreate(EntityBase): - ... - - -class EntityCreateInternal(EntityCreate): - ... - - -class EntityUpdate(BaseModel): - ... - - -class EntityUpdateInternal(BaseModel): - ... - - -class EntityDelete(BaseModel): - model_config = ConfigDict(extra="forbid") - - is_deleted: bool - deleted_at: datetime -``` - -### 5.5 Alembic Migrations - -> 📖 **[See database migrations guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/migrations/)** - -> \[!WARNING\] -> To create the tables if you did not create the endpoints, ensure that you import the models in src/app/models/__init__.py. This step is crucial to create the new models. - -Then, while in the `src` folder, run Alembic migrations: - -```sh -uv run alembic revision --autogenerate -``` - -And to apply the migration - -```sh -uv run alembic upgrade head -``` - -### 5.6 CRUD +**Access your app:** +- **Local**: http://127.0.0.1:8000 (auto-reload enabled) → [API docs](http://127.0.0.1:8000/docs) +- **Staging**: http://127.0.0.1:8000 (production-like performance) +- **Production**: http://localhost (NGINX reverse proxy) -> 📖 **[See CRUD operations guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/database/crud/)** +### Next steps -Inside `app/crud`, create a new `crud_entity.py` inheriting from `FastCRUD` for each new entity: - -```python -from fastcrud import FastCRUD - -from app.models.entity import Entity -from app.schemas.entity import EntityCreateInternal, EntityUpdate, EntityUpdateInternal, EntityDelete - -CRUDEntity = FastCRUD[Entity, EntityCreateInternal, EntityUpdate, EntityUpdateInternal, EntityDelete] -crud_entity = CRUDEntity(Entity) -``` - -So, for users: - -```python -# crud_users.py -from app.model.user import User -from app.schemas.user import UserCreateInternal, UserUpdate, UserUpdateInternal, UserDelete - -CRUDUser = FastCRUD[User, UserCreateInternal, UserUpdate, UserUpdateInternal, UserDelete] -crud_users = CRUDUser(User) -``` - -#### 5.6.1 Get - -When actually using the crud in an endpoint, to get data you just pass the database connection and the attributes as kwargs: - -```python -# Here I'm getting the first user with email == user.email (email is unique in this case) -user = await crud_users.get(db=db, email=user.email) -``` - -#### 5.6.2 Get Multi - -To get a list of objects with the attributes, you should use the get_multi: - -```python -# Here I'm getting at most 10 users with the name 'User Userson' except for the first 3 -user = await crud_users.get_multi(db=db, offset=3, limit=100, name="User Userson") -``` - -> \[!WARNING\] -> Note that get_multi returns a python `dict`. - -Which will return a python dict with the following structure: - -```javascript -{ - "data": [ - { - "id": 4, - "name": "User Userson", - "username": "userson4", - "email": "user.userson4@example.com", - "profile_image_url": "https://profileimageurl.com" - }, - { - "id": 5, - "name": "User Userson", - "username": "userson5", - "email": "user.userson5@example.com", - "profile_image_url": "https://profileimageurl.com" - } - ], - "total_count": 2, - "has_more": false, - "page": 1, - "items_per_page": 10 -} -``` - -#### 5.6.3 Create - -To create, you pass a `CreateSchemaType` object with the attributes, such as a `UserCreate` pydantic schema: - -```python -from app.schemas.user import UserCreate - -# Creating the object -user_internal = UserCreate(name="user", username="myusername", email="user@example.com") - -# Passing the object to be created -crud_users.create(db=db, object=user_internal) -``` - -#### 5.6.4 Exists - -To just check if there is at least one row that matches a certain set of attributes, you should use `exists` - -```python -# This queries only the email variable -# It returns True if there's at least one or False if there is none -crud_users.exists(db=db, email=user @ example.com) -``` - -#### 5.6.5 Count - -You can also get the count of a certain object with the specified filter: - -```python -# Here I'm getting the count of users with the name 'User Userson' -user = await crud_users.count(db=db, name="User Userson") -``` - -#### 5.6.6 Update - -To update you pass an `object` which may be a `pydantic schema` or just a regular `dict`, and the kwargs. -You will update with `objects` the rows that match your `kwargs`. - -```python -# Here I'm updating the user with username == "myusername". -# #I'll change his name to "Updated Name" -crud_users.update(db=db, object={"name": "Updated Name"}, username="myusername") -``` - -#### 5.6.7 Delete - -To delete we have two options: - -- db_delete: actually deletes the row from the database -- delete: - - adds `"is_deleted": True` and `deleted_at: datetime.now(UTC)` if the model inherits from `PersistentDeletion` (performs a soft delete), but keeps the object in the database. - - actually deletes the row from the database if the model does not inherit from `PersistentDeletion` - -```python -# Here I'll just change is_deleted to True -crud_users.delete(db=db, username="myusername") - -# Here I actually delete it from the database -crud_users.db_delete(db=db, username="myusername") +**Create your first admin user:** +```bash +docker compose run --rm create_superuser ``` -#### 5.6.8 Get Joined - -To retrieve data with a join operation, you can use the get_joined method from your CRUD module. Here's how to do it: - -```python -# Fetch a single record with a join on another model (e.g., User and Tier). -result = await crud_users.get_joined( - db=db, # The SQLAlchemy async session. - join_model=Tier, # The model to join with (e.g., Tier). - schema_to_select=UserSchema, # Pydantic schema for selecting User model columns (optional). - join_schema_to_select=TierSchema, # Pydantic schema for selecting Tier model columns (optional). -) +**Run database migrations** (if you add models): +```bash +cd src && uv run alembic revision --autogenerate && uv run alembic upgrade head ``` -**Relevant Parameters:** - -- `join_model`: The model you want to join with (e.g., Tier). -- `join_prefix`: Optional prefix to be added to all columns of the joined model. If None, no prefix is added. -- `join_on`: SQLAlchemy Join object for specifying the ON clause of the join. If None, the join condition is auto-detected based on foreign keys. -- `schema_to_select`: A Pydantic schema to select specific columns from the primary model (e.g., UserSchema). -- `join_schema_to_select`: A Pydantic schema to select specific columns from the joined model (e.g., TierSchema). -- `join_type`: pecifies the type of join operation to perform. Can be "left" for a left outer join or "inner" for an inner join. Default "left". -- `kwargs`: Filters to apply to the primary query. - -This method allows you to perform a join operation, selecting columns from both models, and retrieve a single record. - -#### 5.6.9 Get Multi Joined - -Similarly, to retrieve multiple records with a join operation, you can use the get_multi_joined method. Here's how: - -```python -# Retrieve a list of objects with a join on another model (e.g., User and Tier). -result = await crud_users.get_multi_joined( - db=db, # The SQLAlchemy async session. - join_model=Tier, # The model to join with (e.g., Tier). - join_prefix="tier_", # Optional prefix for joined model columns. - join_on=and_(User.tier_id == Tier.id, User.is_superuser == True), # Custom join condition. - schema_to_select=UserSchema, # Pydantic schema for selecting User model columns. - join_schema_to_select=TierSchema, # Pydantic schema for selecting Tier model columns. - username="john_doe", # Additional filter parameters. -) +**Test background jobs:** +```bash +curl -X POST 'http://127.0.0.1:8000/api/v1/tasks/task?message=hello' ``` -**Relevant Parameters:** - -- `join_model`: The model you want to join with (e.g., Tier). -- `join_prefix`: Optional prefix to be added to all columns of the joined model. If None, no prefix is added. -- `join_on`: SQLAlchemy Join object for specifying the ON clause of the join. If None, the join condition is auto-detected based on foreign keys. -- `schema_to_select`: A Pydantic schema to select specific columns from the primary model (e.g., UserSchema). -- `join_schema_to_select`: A Pydantic schema to select specific columns from the joined model (e.g., TierSchema). -- `join_type`: pecifies the type of join operation to perform. Can be "left" for a left outer join or "inner" for an inner join. Default "left". -- `kwargs`: Filters to apply to the primary query. -- `offset`: The offset (number of records to skip) for pagination. Default 0. -- `limit`: The limit (maximum number of records to return) for pagination. Default 100. -- `kwargs`: Filters to apply to the primary query. - -#### More Efficient Selecting - -For the `get` and `get_multi` methods we have the option to define a `schema_to_select` attribute, which is what actually makes the queries more efficient. When you pass a `pydantic schema` (preferred) or a list of the names of the attributes in `schema_to_select` to the `get` or `get_multi` methods, only the attributes in the schema will be selected. - -```python -from app.schemas.user import UserRead - -# Here it's selecting all of the user's data -crud_user.get(db=db, username="myusername") - -# Now it's only selecting the data that is in UserRead. -# Since that's my response_model, it's all I need -crud_user.get(db=db, username="myusername", schema_to_select=UserRead) +**Or run locally without Docker:** +```bash +uv sync && uv run uvicorn src.app.main:app --reload ``` -### 5.7 Routes - -> 📖 **[See API endpoints guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/api/endpoints/)** - -Inside `app/api/v1`, create a new `entities.py` file and create the desired routes with proper dependency injection: - -```python -from typing import Annotated, List -from fastapi import Depends, Request, APIRouter -from sqlalchemy.ext.asyncio import AsyncSession - -from app.schemas.entity import EntityRead -from app.core.db.database import async_get_db -from app.crud.crud_entity import crud_entity - -router = APIRouter(tags=["entities"]) - - -@router.get("/entities/{id}", response_model=EntityRead) -async def read_entity(request: Request, id: int, db: Annotated[AsyncSession, Depends(async_get_db)]): - entity = await crud_entity.get(db=db, id=id) +> Full setup (from-scratch, .env examples, PostgreSQL & Redis, gunicorn, nginx) lives in the [docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/installation/). - if entity is None: # Explicit None check - raise NotFoundException("Entity not found") +## Configuration (minimal) - return entity +Create `src/.env` and set **app**, **database**, **JWT**, and **environment** settings. See the [docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/configuration/) for a copy-pasteable example and production guidance. +[https://benavlabs.github.io/FastAPI-boilerplate/getting-started/configuration/](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/configuration/) -@router.get("/entities", response_model=List[EntityRead]) -async def read_entities(request: Request, db: Annotated[AsyncSession, Depends(async_get_db)]): - entities = await crud_entity.get_multi(db=db, is_deleted=False) - return entities -``` - -Then in `app/api/v1/__init__.py` add the router: +* `ENVIRONMENT=local|staging|production` controls API docs exposure +* Set `ADMIN_*` to enable the first admin user -```python -from fastapi import APIRouter -from app.api.v1.entities import router as entity_router -from app.api.v1.users import router as user_router -from app.api.v1.posts import router as post_router +## Common tasks -router = APIRouter(prefix="/v1") - -router.include_router(user_router) -router.include_router(post_router) -router.include_router(entity_router) # Add your new router -``` +```bash +# run locally with reload (without Docker) +uv sync && uv run uvicorn src.app.main:app --reload -#### 5.7.1 Paginated Responses - -> 📖 **[See API pagination guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/api/pagination/)** - -With the `get_multi` method we get a python `dict` with full suport for pagination: - -```javascript -{ - "data": [ - { - "id": 4, - "name": "User Userson", - "username": "userson4", - "email": "user.userson4@example.com", - "profile_image_url": "https://profileimageurl.com" - }, - { - "id": 5, - "name": "User Userson", - "username": "userson5", - "email": "user.userson5@example.com", - "profile_image_url": "https://profileimageurl.com" - } - ], - "total_count": 2, - "has_more": false, - "page": 1, - "items_per_page": 10 -} -``` +# run Alembic migrations +cd src && uv run alembic revision --autogenerate && uv run alembic upgrade head -And in the endpoint, we can import from `fastcrud.paginated` the following functions and Pydantic Schema: - -```python -from typing import Annotated -from fastapi import Depends, Request -from sqlalchemy.ext.asyncio import AsyncSession -from fastcrud.paginated import ( - PaginatedListResponse, # What you'll use as a response_model to validate - paginated_response, # Creates a paginated response based on the parameters - compute_offset, # Calculate the offset for pagination ((page - 1) * items_per_page) -) +# enqueue a background job (example endpoint) +curl -X POST 'http://127.0.0.1:8000/api/v1/tasks/task?message=hello' ``` -Then let's create the endpoint: - -```python -import fastapi - -from app.schemas.entity import EntityRead - -... - - -@router.get("/entities", response_model=PaginatedListResponse[EntityRead]) -async def read_entities( - request: Request, db: Annotated[AsyncSession, Depends(async_get_db)], page: int = 1, items_per_page: int = 10 -): - entities_data = await crud_entity.get_multi( - db=db, - offset=compute_offset(page, items_per_page), - limit=items_per_page, - schema_to_select=EntityRead, - is_deleted=False, - ) - - return paginated_response(crud_data=entities_data, page=page, items_per_page=items_per_page) -``` - -#### 5.7.2 HTTP Exceptions - -> 📖 **[See API exceptions guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/api/exceptions/)** - -To add exceptions you may just import from `app/core/exceptions/http_exceptions` and optionally add a detail: - -```python -from app.core.exceptions.http_exceptions import NotFoundException, ForbiddenException, DuplicateValueException - - -@router.post("/entities", response_model=EntityRead, status_code=201) -async def create_entity( - request: Request, - entity_data: EntityCreate, - db: Annotated[AsyncSession, Depends(async_get_db)], - current_user: Annotated[UserRead, Depends(get_current_user)], -): - # Check if entity already exists - if await crud_entity.exists(db=db, name=entity_data.name) is True: - raise DuplicateValueException("Entity with this name already exists") - - # Check user permissions - if current_user.is_active is False: # Explicit boolean check - raise ForbiddenException("User account is disabled") - - # Create the entity - entity = await crud_entity.create(db=db, object=entity_data) - - if entity is None: # Explicit None check - raise CustomException("Failed to create entity") - - return entity - - -@router.get("/entities/{id}", response_model=EntityRead) -async def read_entity(request: Request, id: int, db: Annotated[AsyncSession, Depends(async_get_db)]): - entity = await crud_entity.get(db=db, id=id) - - if entity is None: # Explicit None check - raise NotFoundException("Entity not found") - - return entity -``` - -**The predefined possibilities in http_exceptions are the following:** - -- `CustomException`: 500 internal error -- `BadRequestException`: 400 bad request -- `NotFoundException`: 404 not found -- `ForbiddenException`: 403 forbidden -- `UnauthorizedException`: 401 unauthorized -- `UnprocessableEntityException`: 422 unprocessable entity -- `DuplicateValueException`: 422 unprocessable entity -- `RateLimitException`: 429 too many requests - -### 5.8 Caching - -> 📖 **[See comprehensive caching guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/caching/)** - -The `cache` decorator allows you to cache the results of FastAPI endpoint functions, enhancing response times and reducing the load on your application by storing and retrieving data in a cache. - -Caching the response of an endpoint is really simple, just apply the `cache` decorator to the endpoint function. - -> \[!WARNING\] -> Note that you should always pass request as a variable to your endpoint function if you plan to use the cache decorator. - -```python -... -from app.core.utils.cache import cache - - -@app.get("/sample/{my_id}") -@cache(key_prefix="sample_data", expiration=3600, resource_id_name="my_id") -async def sample_endpoint(request: Request, my_id: int): - # Endpoint logic here - return {"data": "my_data"} -``` - -The way it works is: - -- the data is saved in redis with the following cache key: `sample_data:{my_id}` -- then the time to expire is set as 3600 seconds (that's the default) - -Another option is not passing the `resource_id_name`, but passing the `resource_id_type` (default int): - -```python -... -from app.core.utils.cache import cache - - -@app.get("/sample/{my_id}") -@cache(key_prefix="sample_data", resource_id_type=int) -async def sample_endpoint(request: Request, my_id: int): - # Endpoint logic here - return {"data": "my_data"} -``` - -In this case, what will happen is: - -- the `resource_id` will be inferred from the keyword arguments (`my_id` in this case) -- the data is saved in redis with the following cache key: `sample_data:{my_id}` -- then the the time to expire is set as 3600 seconds (that's the default) - -Passing resource_id_name is usually preferred. - -### 5.9 More Advanced Caching - -The behaviour of the `cache` decorator changes based on the request method of your endpoint. -It caches the result if you are passing it to a **GET** endpoint, and it invalidates the cache with this key_prefix and id if passed to other endpoints (**PATCH**, **DELETE**). - -#### Invalidating Extra Keys - -If you also want to invalidate cache with a different key, you can use the decorator with the `to_invalidate_extra` variable. - -In the following example, I want to invalidate the cache for a certain `user_id`, since I'm deleting it, but I also want to invalidate the cache for the list of users, so it will not be out of sync. - -```python -# The cache here will be saved as "{username}_posts:{username}": -@router.get("/{username}/posts", response_model=List[PostRead]) -@cache(key_prefix="{username}_posts", resource_id_name="username") -async def read_posts(request: Request, username: str, db: Annotated[AsyncSession, Depends(async_get_db)]): - ... - - -... - -# Invalidating cache for the former endpoint by just passing the key_prefix and id as a dictionary: -@router.delete("/{username}/post/{id}") -@cache( - "{username}_post_cache", - resource_id_name="id", - to_invalidate_extra={"{username}_posts": "{username}"}, # also invalidate "{username}_posts:{username}" cache -) -async def erase_post( - request: Request, - username: str, - id: int, - current_user: Annotated[UserRead, Depends(get_current_user)], - db: Annotated[AsyncSession, Depends(async_get_db)], -): - ... - - -# And now I'll also invalidate when I update the user: -@router.patch("/{username}/post/{id}", response_model=PostRead) -@cache("{username}_post_cache", resource_id_name="id", to_invalidate_extra={"{username}_posts": "{username}"}) -async def patch_post( - request: Request, - username: str, - id: int, - values: PostUpdate, - current_user: Annotated[UserRead, Depends(get_current_user)], - db: Annotated[AsyncSession, Depends(async_get_db)], -): - ... -``` - -> \[!WARNING\] -> Note that adding `to_invalidate_extra` will not work for **GET** requests. - -#### Invalidate Extra By Pattern - -Let's assume we have an endpoint with a paginated response, such as: - -```python -@router.get("/{username}/posts", response_model=PaginatedListResponse[PostRead]) -@cache( - key_prefix="{username}_posts:page_{page}:items_per_page:{items_per_page}", - resource_id_name="username", - expiration=60, -) -async def read_posts( - request: Request, - username: str, - db: Annotated[AsyncSession, Depends(async_get_db)], - page: int = 1, - items_per_page: int = 10, -): - db_user = await crud_users.get(db=db, schema_to_select=UserRead, username=username, is_deleted=False) - if not db_user: - raise HTTPException(status_code=404, detail="User not found") - - posts_data = await crud_posts.get_multi( - db=db, - offset=compute_offset(page, items_per_page), - limit=items_per_page, - schema_to_select=PostRead, - created_by_user_id=db_user["id"], - is_deleted=False, - ) - - return paginated_response(crud_data=posts_data, page=page, items_per_page=items_per_page) -``` - -Just passing `to_invalidate_extra` will not work to invalidate this cache, since the key will change based on the `page` and `items_per_page` values. -To overcome this we may use the `pattern_to_invalidate_extra` parameter: - -```python -@router.patch("/{username}/post/{id}") -@cache("{username}_post_cache", resource_id_name="id", pattern_to_invalidate_extra=["{username}_posts:*"]) -async def patch_post( - request: Request, - username: str, - id: int, - values: PostUpdate, - current_user: Annotated[UserRead, Depends(get_current_user)], - db: Annotated[AsyncSession, Depends(async_get_db)], -): - ... -``` - -Now it will invalidate all caches with a key that matches the pattern `"{username}_posts:*`, which will work for the paginated responses. - -> \[!CAUTION\] -> Using `pattern_to_invalidate_extra` can be resource-intensive on large datasets. Use it judiciously and consider the potential impact on Redis performance. Be cautious with patterns that could match a large number of keys, as deleting many keys simultaneously may impact the performance of the Redis server. - -#### Client-side Caching - -For `client-side caching`, all you have to do is let the `Settings` class defined in `app/core/config.py` inherit from the `ClientSideCacheSettings` class. You can set the `CLIENT_CACHE_MAX_AGE` value in `.env,` it defaults to 60 (seconds). - -### 5.10 ARQ Job Queues - -> 📖 **[See background tasks guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/background-tasks/)** - -Depending on the problem your API is solving, you might want to implement a job queue. A job queue allows you to run tasks in the background, and is usually aimed at functions that require longer run times and don't directly impact user response in your frontend. As a rule of thumb, if a task takes more than 2 seconds to run, can be executed asynchronously, and its result is not needed for the next step of the user's interaction, then it is a good candidate for the job queue. - -> \[!TIP\] -> Very common candidates for background functions are calls to and from LLM endpoints (e.g. OpenAI or Openrouter). This is because they span tens of seconds and often need to be further parsed and saved. - -#### Background task creation - -For simple background tasks, you can just create a function in the `app/core/worker/functions.py` file. For more complex tasks, we recommend you to create a new file in the `app/core/worker` directory. - -```python -async def sample_background_task(ctx, name: str) -> str: - await asyncio.sleep(5) - return f"Task {name} is complete!" -``` - -Then add the function to the `WorkerSettings` class `functions` variable in `app/core/worker/settings.py` to make it available to the worker. If you created a new file in the `app/core/worker` directory, then simply import this function in the `app/core/worker/settings.py` file: - -```python -from .functions import sample_background_task -from .your_module import sample_complex_background_task - - -class WorkerSettings: - functions = [sample_background_task, sample_complex_background_task] - ... -``` - -#### Add the task to an endpoint - -Once you have created the background task, you can add it to any endpoint of your choice to be enqueued. The best practice is to enqueue the task in a **POST** endpoint, while having a **GET** endpoint to get more information on the task. For more details on how job results are handled, check the [ARQ docs](https://arq-docs.helpmanual.io/#job-results). - -```python -@router.post("/task", response_model=Job, status_code=201) -async def create_task(message: str): - job = await queue.pool.enqueue_job("sample_background_task", message) - return {"id": job.job_id} - - -@router.get("/task/{task_id}") -async def get_task(task_id: str): - job = ArqJob(task_id, queue.pool) - return await job.info() -``` - -And finally run the worker in parallel to your fastapi application. - -> \[!IMPORTANT\] -> For any change to the `sample_background_task` to be reflected in the worker, you need to restart the worker (e.g. the docker container). - -If you are using `docker compose`, the worker is already running. -If you are doing it from scratch, run while in the `root` folder: - -```sh -uv run arq src.app.core.worker.settings.WorkerSettings -``` - -#### Database session with background tasks - -With time your background functions will become 'workflows' increasing in complexity and requirements. Probably, you will need to use a database session to get, create, update, or delete data as part of this workflow. - -To do this, you can add the database session to the `ctx` object in the `startup` and `shutdown` functions in `app/core/worker/functions.py`, like in the example below: - -```python -from arq.worker import Worker -from ...core.db.database import async_get_db - - -async def startup(ctx: Worker) -> None: - ctx["db"] = await anext(async_get_db()) - logging.info("Worker Started") - - -async def shutdown(ctx: Worker) -> None: - await ctx["db"].close() - logging.info("Worker end") -``` - -This will allow you to have the async database session always available in any background function and automatically close it on worker shutdown. Once you have this database session, you can use it as follows: - -```python -from arq.worker import Worker - - -async def your_background_function( - ctx: Worker, - post_id: int, -) -> Any: - db = ctx["db"] - post = crud_posts.get(db=db, schema_to_select=PostRead, id=post_id) -``` - -> \[!WARNING\] -> When using database sessions, you will want to use Pydantic objects. However, these objects don't mingle well with the seralization required by ARQ tasks and will be retrieved as a dictionary. - -### 5.11 Rate Limiting - -> 📖 **[See rate limiting guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/rate-limiting/)** - -To limit how many times a user can make a request in a certain interval of time (very useful to create subscription plans or just to protect your API against DDOS), you may just use the `rate_limiter_dependency` dependency: - -```python -from fastapi import Depends - -from app.api.dependencies import rate_limiter_dependency -from app.core.utils import queue -from app.schemas.job import Job - - -@router.post("/task", response_model=Job, status_code=201, dependencies=[Depends(rate_limiter_dependency)]) -async def create_task(message: str): - job = await queue.pool.enqueue_job("sample_background_task", message) - return {"id": job.job_id} -``` - -By default, if no token is passed in the header (that is - the user is not authenticated), the user will be limited by his IP address with the default `limit` (how many times the user can make this request every period) and `period` (time in seconds) defined in `.env`. - -Even though this is useful, real power comes from creating `tiers` (categories of users) and standard `rate_limits` (`limits` and `periods` defined for specific `paths` - that is - endpoints) for these tiers. - -All of the `tier` and `rate_limit` models, schemas, and endpoints are already created in the respective folders (and usable only by superusers). You may use the `create_tier` script to create the first tier (it uses the `.env` variable `TIER_NAME`, which is all you need to create a tier) or just use the api: - -Here I'll create a `free` tier: - -

- passing name = free to api request body -

- -And a `pro` tier: - -

- passing name = pro to api request body -

- -Then I'll associate a `rate_limit` for the path `api/v1/tasks/task` for each of them, I'll associate a `rate limit` for the path `api/v1/tasks/task`. - -> \[!WARNING\] -> Do not forget to add `api/v1/...` or any other prefix to the beggining of your path. For the structure of the boilerplate, `api/v1/` - -1 request every hour (3600 seconds) for the free tier: - -

- passing path=api/v1/tasks/task, limit=1, period=3600, name=api_v1_tasks:1:3600 to free tier rate limit -

- -10 requests every hour for the pro tier: - -

- passing path=api/v1/tasks/task, limit=10, period=3600, name=api_v1_tasks:10:3600 to pro tier rate limit -

- -Now let's read all the tiers available (`GET api/v1/tiers`): - -```javascript -{ - "data": [ - { - "name": "free", - "id": 1, - "created_at": "2023-11-11T05:57:25.420360" - }, - { - "name": "pro", - "id": 2, - "created_at": "2023-11-12T00:40:00.759847" - } - ], - "total_count": 2, - "has_more": false, - "page": 1, - "items_per_page": 10 -} -``` - -And read the `rate_limits` for the `pro` tier to ensure it's working (`GET api/v1/tier/pro/rate_limits`): - -```javascript -{ - "data": [ - { - "path": "api_v1_tasks_task", - "limit": 10, - "period": 3600, - "id": 1, - "tier_id": 2, - "name": "api_v1_tasks:10:3600" - } - ], - "total_count": 1, - "has_more": false, - "page": 1, - "items_per_page": 10 -} -``` - -Now, whenever an authenticated user makes a `POST` request to the `api/v1/tasks/task`, they'll use the quota that is defined by their tier. -You may check this getting the token from the `api/v1/login` endpoint, then passing it in the request header: - -```sh -curl -X POST 'http://127.0.0.1:8000/api/v1/tasks/task?message=test' \ --H 'Authorization: Bearer ' -``` - -> \[!TIP\] -> Since the `rate_limiter_dependency` dependency uses the `get_optional_user` dependency instead of `get_current_user`, it will not require authentication to be used, but will behave accordingly if the user is authenticated (and token is passed in header). If you want to ensure authentication, also use `get_current_user` if you need. - -To change a user's tier, you may just use the `PATCH api/v1/user/{username}/tier` endpoint. -Note that for flexibility (since this is a boilerplate), it's not necessary to previously inform a tier_id to create a user, but you probably should set every user to a certain tier (let's say `free`) once they are created. - -> \[!WARNING\] -> If a user does not have a `tier` or the tier does not have a defined `rate limit` for the path and the token is still passed to the request, the default `limit` and `period` will be used, this will be saved in `app/logs`. - -### 5.12 JWT Authentication - -> 📖 **[See authentication guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/authentication/)** - -#### 5.12.1 Details - -The JWT in this boilerplate is created in the following way: - -1. **JWT Access Tokens:** how you actually access protected resources is passing this token in the request header. -1. **Refresh Tokens:** you use this type of token to get an `access token`, which you'll use to access protected resources. - -The `access token` is short lived (default 30 minutes) to reduce the damage of a potential leak. The `refresh token`, on the other hand, is long lived (default 7 days), and you use it to renew your `access token` without the need to provide username and password every time it expires. - -Since the `refresh token` lasts for a longer time, it's stored as a cookie in a secure way: - -```python -# app/api/v1/login - -... -response.set_cookie( - key="refresh_token", - value=refresh_token, - httponly=True, # Prevent access through JavaScript - secure=True, # Ensure cookie is sent over HTTPS only - samesite="Lax", # Default to Lax for reasonable balance between security and usability - max_age=number_of_seconds, # Set a max age for the cookie -) -... -``` - -You may change it to suit your needs. The possible options for `samesite` are: - -- `Lax`: Cookies will be sent in top-level navigations (like clicking on a link to go to another site), but not in API requests or images loaded from other sites. -- `Strict`: Cookies are sent only on top-level navigations from the same site that set the cookie, enhancing privacy but potentially disrupting user sessions. -- `None`: Cookies will be sent with both same-site and cross-site requests. - -#### 5.12.2 Usage - -What you should do with the client is: - -- `Login`: Send credentials to `/api/v1/login`. Store the returned access token in memory for subsequent requests. -- `Accessing Protected Routes`: Include the access token in the Authorization header. -- `Token Renewal`: On access token expiry, the front end should automatically call `/api/v1/refresh` for a new token. -- `Login Again`: If refresh token is expired, credentials should be sent to `/api/v1/login` again, storing the new access token in memory. -- `Logout`: Call /api/v1/logout to end the session securely. - -This authentication setup in the provides a robust, secure, and user-friendly way to handle user sessions in your API applications. - -### 5.13 Admin Panel - -> 📖 **[See admin panel guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/admin-panel/)** - -The boilerplate includes a powerful web-based admin interface built with [CRUDAdmin](https://github.com/benavlabs/crudadmin) that provides a comprehensive database management system. - -> **About CRUDAdmin**: CRUDAdmin is a modern admin interface generator for FastAPI applications. Learn more at: -> -> - **📚 Documentation**: [benavlabs.github.io/crudadmin](https://benavlabs.github.io/crudadmin/) -> - **💻 GitHub**: [github.com/benavlabs/crudadmin](https://github.com/benavlabs/crudadmin) - -#### 5.13.1 Features - -The admin panel includes: - -- **User Management**: Create, view, update users with password hashing -- **Tier Management**: Manage user tiers and permissions -- **Post Management**: Full CRUD operations for posts -- **Authentication**: Secure login system with session management -- **Security**: IP restrictions, session timeouts, and secure cookies -- **Redis Integration**: Optional Redis support for session storage -- **Event Tracking**: Track admin actions and sessions - -#### 5.13.2 Access - -Once your application is running, you can access the admin panel at: - -``` -http://localhost:8000/admin -``` - -Use the admin credentials you defined in your `.env` file: - -- Username: `ADMIN_USERNAME` -- Password: `ADMIN_PASSWORD` - -#### 5.13.3 Configuration - -The admin panel is highly configurable through environment variables: - -- **Basic Settings**: Enable/disable, mount path -- **Security**: Session limits, timeouts, IP restrictions -- **Tracking**: Event and session tracking -- **Redis**: Optional Redis session storage - -See the [environment variables section](#31-environment-variables-env) for complete configuration options. - -#### 5.13.4 Customization - -**Adding New Models** - -To add new models to the admin panel, edit `src/app/admin/views.py`: - -```python -from your_app.models import YourModel -from your_app.schemas import YourCreateSchema, YourUpdateSchema - - -def register_admin_views(admin: CRUDAdmin) -> None: - # ... existing models ... - - admin.add_view( - model=YourModel, - create_schema=YourCreateSchema, - update_schema=YourUpdateSchema, - allowed_actions={"view", "create", "update", "delete"}, - ) -``` - -**Advanced Configuration** - -For more complex model configurations: - -```python -# Handle models with problematic fields (e.g., TSVector) -admin.add_view( - model=Article, - create_schema=ArticleCreate, - update_schema=ArticleUpdate, - select_schema=ArticleSelect, # Exclude problematic fields from read operations - allowed_actions={"view", "create", "update", "delete"}, -) - -# Password field handling -admin.add_view( - model=User, - create_schema=UserCreateWithPassword, - update_schema=UserUpdateWithPassword, - password_transformer=password_transformer, # Handles password hashing - allowed_actions={"view", "create", "update"}, -) - -# Read-only models -admin.add_view( - model=AuditLog, - create_schema=AuditLogSchema, - update_schema=AuditLogSchema, - allowed_actions={"view"}, # Only viewing allowed -) -``` - -**Session Backend Configuration** - -For production environments, consider using Redis for better performance: - -```python -# Enable Redis sessions in your environment -CRUD_ADMIN_REDIS_ENABLED = true -CRUD_ADMIN_REDIS_HOST = localhost -CRUD_ADMIN_REDIS_PORT = 6379 -``` - -### 5.14 Running - -If you are using docker compose, just running the following command should ensure everything is working: - -```sh -docker compose up -``` - -If you are doing it from scratch, ensure your postgres and your redis are running, then -while in the `root` folder, run to start the application with uvicorn server: - -```sh -uv run uvicorn src.app.main:app --reload -``` - -And for the worker: - -```sh -uv run arq src.app.core.worker.settings.WorkerSettings -``` - -### 5.15 Create Application - -If you want to stop tables from being created every time you run the api, you should disable this here: - -```python -# app/main.py - -from .api import router -from .core.config import settings -from .core.setup import create_application - -# create_tables_on_start defaults to True -app = create_application(router=router, settings=settings, create_tables_on_start=False) -``` - -This `create_application` function is defined in `app/core/setup.py`, and it's a flexible way to configure the behavior of your application. - -A few examples: - -- Deactivate or password protect /docs -- Add client-side cache middleware -- Add Startup and Shutdown event handlers for cache, queue and rate limit - -### 5.16 Opting Out of Services - -To opt out of services (like `Redis`, `Queue`, `Rate Limiter`), head to the `Settings` class in `src/app/core/config`: - -```python -# src/app/core/config -import os -from enum import Enum - -from pydantic_settings import BaseSettings -from starlette.config import Config - -current_file_dir = os.path.dirname(os.path.realpath(__file__)) -env_path = os.path.join(current_file_dir, "..", "..", ".env") -config = Config(env_path) -... - - -class Settings( - AppSettings, - PostgresSettings, - CryptSettings, - FirstUserSettings, - TestSettings, - RedisCacheSettings, - ClientSideCacheSettings, - RedisQueueSettings, - RedisRateLimiterSettings, - DefaultRateLimitSettings, - CRUDAdminSettings, - EnvironmentSettings, - CORSSettings, -): - pass - - -settings = Settings() -``` - -And remove the Settings of the services you do not need. For example, without using redis (removed `Cache`, `Queue` and `Rate limit`): - -```python -class Settings( - AppSettings, - PostgresSettings, - CryptSettings, - FirstUserSettings, - TestSettings, - ClientSideCacheSettings, - DefaultRateLimitSettings, - EnvironmentSettings, - CORSSettings, -): - pass -``` - -Then comment or remove the services you do not want from `docker-compose.yml`. Here, I removed `redis` and `worker` services: - -```yml -version: '3.8' - -services: - web: - build: - context: . - dockerfile: Dockerfile - # -------- replace with comment to run with gunicorn -------- - command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload - # command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 - env_file: - - ./src/.env - # -------- replace with comment if you are using nginx -------- - ports: - - "8000:8000" - # expose: - # - "8000" - depends_on: - - db - - redis - volumes: - - ./src/app:/code/app - - ./src/.env:/code/.env - db: - image: postgres:13 - env_file: - - ./src/.env - volumes: - - postgres-data:/var/lib/postgresql/data - # -------- replace with comment to run migrations with docker -------- - expose: - - "5432" - # ports: - # - 5432:5432 - -volumes: - postgres-data: - redis-data: - #pgadmin-data: -``` - -## 6. Running in Production - -> 📖 **[See production deployment guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/production/)** - -### 6.1 Uvicorn Workers with Gunicorn - -In production you may want to run using gunicorn to manage uvicorn workers: - -```sh -command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 -``` - -Here it's running with 4 workers, but you should test it depending on how many cores your machine has. - -To do this if you are using docker compose, just replace the comment: -This part in `docker-compose.yml`: - -```YAML -# docker-compose.yml - -# -------- replace with comment to run with gunicorn -------- -command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload -# command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 -``` - -Should be changed to: - -```YAML -# docker-compose.yml - -# -------- replace with comment to run with uvicorn -------- -# command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload -command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 -``` - -And the same in `Dockerfile`: -This part: - -```Dockerfile -# Dockerfile - -CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] -# CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker". "-b", "0.0.0.0:8000"] -``` - -Should be changed to: - -```Dockerfile -# Dockerfile - -# CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] -CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker". "-b", "0.0.0.0:8000"] -``` - -> \[!CAUTION\] -> Do not forget to set the `ENVIRONMENT` in `.env` to `production` unless you want the API docs to be public. - -### 6.2 Running with NGINX - -NGINX is a high-performance web server, known for its stability, rich feature set, simple configuration, and low resource consumption. NGINX acts as a reverse proxy, that is, it receives client requests, forwards them to the FastAPI server (running via Uvicorn or Gunicorn), and then passes the responses back to the clients. - -To run with NGINX, you start by uncommenting the following part in your `docker-compose.yml`: - -```python -# docker-compose.yml - -... -# -------- uncomment to run with nginx -------- -# nginx: -# image: nginx:latest -# ports: -# - "80:80" -# volumes: -# - ./default.conf:/etc/nginx/conf.d/default.conf -# depends_on: -# - web -... -``` - -Which should be changed to: - -```YAML -# docker-compose.yml - -... - #-------- uncomment to run with nginx -------- - nginx: - image: nginx:latest - ports: - - "80:80" - volumes: - - ./default.conf:/etc/nginx/conf.d/default.conf - depends_on: - - web -... -``` - -Then comment the following part: - -```YAML -# docker-compose.yml - -services: - web: - ... - # -------- Both of the following should be commented to run with nginx -------- - command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload - # command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 -``` - -Which becomes: - -```YAML -# docker-compose.yml - -services: - web: - ... - # -------- Both of the following should be commented to run with nginx -------- - # command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload - # command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 -``` - -Then pick the way you want to run (uvicorn or gunicorn managing uvicorn workers) in `Dockerfile`. -The one you want should be uncommented, comment the other one. - -```Dockerfile -# Dockerfile - -CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] -# CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker". "-b", "0.0.0.0:8000"] -``` - -And finally head to `http://localhost/docs`. - -#### 6.2.1 One Server - -If you want to run with one server only, your setup should be ready. Just make sure the only part that is not a comment in `default.conf` is: - -```conf -# default.conf - -# ---------------- Running With One Server ---------------- -server { - listen 80; - - location / { - proxy_pass http://web:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -``` - -So just type on your browser: `http://localhost/docs`. - -#### 6.2.2 Multiple Servers - -NGINX can distribute incoming network traffic across multiple servers, improving the efficiency and capacity utilization of your application. - -To run with multiple servers, just comment the `Running With One Server` part in `default.conf` and Uncomment the other one: - -```conf -# default.conf - -# ---------------- Running With One Server ---------------- -... - -# ---------------- To Run with Multiple Servers, Uncomment below ---------------- -upstream fastapi_app { - server fastapi1:8000; # Replace with actual server names or IP addresses - server fastapi2:8000; - # Add more servers as needed -} - -server { - listen 80; - - location / { - proxy_pass http://fastapi_app; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -``` - -And finally, on your browser: `http://localhost/docs`. - -> \[!WARNING\] -> Note that we are using `fastapi1:8000` and `fastapi2:8000` as examples, you should replace it with the actual name of your service and the port it's running on. - -## 7. Testing - -> 📖 **[See comprehensive testing guide in our docs](https://benavlabs.github.io/FastAPI-boilerplate/user-guide/testing/)** - -This project uses **fast unit tests** that don't require external services like databases or Redis. Tests are isolated using mocks and run in milliseconds. - -### 7.1 Writing Tests - -Create test files with the name `test_{entity}.py` in the `tests/` folder, replacing `{entity}` with what you're testing: - -```sh -touch tests/test_items.py -``` - -Follow the structure in `tests/test_user.py` for examples. Our tests use: - -- **pytest** with **pytest-asyncio** for async support -- **unittest.mock** for mocking dependencies -- **AsyncMock** for async function mocking -- **Faker** for generating test data - -Example test structure: - -```python -import pytest -from unittest.mock import AsyncMock, patch -from src.app.api.v1.users import write_user - - -class TestWriteUser: - @pytest.mark.asyncio - async def test_create_user_success(self, mock_db, sample_user_data): - """Test successful user creation.""" - with patch("src.app.api.v1.users.crud_users") as mock_crud: - mock_crud.exists = AsyncMock(return_value=False) - mock_crud.create = AsyncMock(return_value=Mock(id=1)) - - result = await write_user(Mock(), sample_user_data, mock_db) - - assert result.id == 1 - mock_crud.create.assert_called_once() -``` - -### 7.2 Running Tests - -Run all unit tests: - -```sh -uv run pytest -``` - -Run specific test file: - -```sh -uv run pytest tests/test_user_unit.py -``` - -Run specific test file: - -```sh -uv run pytest tests/test_user_unit.py -``` - -Run with verbose output: - -```sh -uv run pytest -v -``` - -Run specific test: - -```sh -uv run pytest tests/test_user_unit.py::TestWriteUser::test_create_user_success -``` - -### 7.3 Test Configuration - -Tests are configured in `pyproject.toml`: - -```toml -[tool.pytest.ini_options] -filterwarnings = [ - "ignore::PendingDeprecationWarning:starlette.formparsers", -] -``` - -### 7.4 Test Structure - -- **Unit Tests** (`test_*_unit.py`): Fast, isolated tests with mocked dependencies -- **Fixtures** (`conftest.py`): Shared test fixtures and mock setups -- **Helpers** (`tests/helpers/`): Utilities for generating test data and mocks - -### 7.5 Benefits of Our Approach - -✅ **Fast**: Tests run in ~0.04 seconds -✅ **Reliable**: No external dependencies required -✅ **Isolated**: Each test focuses on one piece of functionality -✅ **Maintainable**: Easy to understand and modify -✅ **CI/CD Ready**: Run anywhere without infrastructure setup +More examples (superuser creation, tiers, rate limits, admin usage) in the [docs](https://benavlabs.github.io/FastAPI-boilerplate/getting-started/first-run/). -## 8. Contributing +## Contributing Read [contributing](CONTRIBUTING.md). -## 9. References +## References This project was inspired by a few projects, it's based on them with things changed to the way I like (and pydantic, sqlalchemy updated) @@ -2204,14 +208,13 @@ This project was inspired by a few projects, it's based on them with things chan - [`Async Web API with FastAPI + SQLAlchemy 2.0`](https://github.com/rhoboro/async-fastapi-sqlalchemy) for sqlalchemy 2.0 ORM examples - [`FastaAPI Rocket Boilerplate`](https://github.com/asacristani/fastapi-rocket-boilerplate/tree/main) for docker compose -## 10. License +## License [`MIT`](LICENSE.md) -## 11. Contact +## Contact -Benav Labs – [benav.io](https://benav.io) -[github.com/benavlabs](https://github.com/benavlabs/) +Benav Labs – [benav.io](https://benav.io), [discord server](https://discord.com/invite/TEmPs22gqB)
diff --git a/docs/getting-started/configuration.md b/docs/getting-started/configuration.md index 16b73f64..32f13d78 100644 --- a/docs/getting-started/configuration.md +++ b/docs/getting-started/configuration.md @@ -115,6 +115,25 @@ DEFAULT_RATE_LIMIT_LIMIT=10 # Default: 10 requests DEFAULT_RATE_LIMIT_PERIOD=3600 # Default: 3600 seconds (1 hour) ``` +### CORS Configuration + +Configure Cross-Origin Resource Sharing for your frontend: + +```env +# CORS Settings +CORS_ORIGINS="*" # Comma-separated origins (use specific domains in production) +CORS_METHODS="*" # Comma-separated HTTP methods or "*" for all +CORS_HEADERS="*" # Comma-separated headers or "*" for all +``` + +!!! warning "CORS in Production" + Never use `"*"` for CORS_ORIGINS in production. Specify exact domains: + ```env + CORS_ORIGINS="https://yourapp.com,https://www.yourapp.com" + CORS_METHODS="GET,POST,PUT,DELETE,PATCH" + CORS_HEADERS="Authorization,Content-Type" + ``` + ### First Tier ```env diff --git a/docs/user-guide/configuration/environment-variables.md b/docs/user-guide/configuration/environment-variables.md index 6da60d8a..c545d9a6 100644 --- a/docs/user-guide/configuration/environment-variables.md +++ b/docs/user-guide/configuration/environment-variables.md @@ -172,6 +172,40 @@ ADMIN_PASSWORD="secure_admin_password" - `ADMIN_USERNAME`: Username for admin login - `ADMIN_PASSWORD`: Initial password (change after first login) +### CORS Configuration + +Cross-Origin Resource Sharing (CORS) settings for frontend integration: + +```env +# ------------- CORS ------------- +CORS_ORIGINS="*" +CORS_METHODS="*" +CORS_HEADERS="*" +``` + +**Variables Explained:** + +- `CORS_ORIGINS`: Comma-separated list of allowed origins (e.g., `"https://app.com,https://www.app.com"`) +- `CORS_METHODS`: Comma-separated list of allowed HTTP methods (e.g., `"GET,POST,PUT,DELETE"`) +- `CORS_HEADERS`: Comma-separated list of allowed headers (e.g., `"Authorization,Content-Type"`) + +**Environment-Specific Values:** + +```env +# Development - Allow all origins +CORS_ORIGINS="*" +CORS_METHODS="*" +CORS_HEADERS="*" + +# Production - Specific domains only +CORS_ORIGINS="https://yourapp.com,https://www.yourapp.com" +CORS_METHODS="GET,POST,PUT,DELETE,PATCH" +CORS_HEADERS="Authorization,Content-Type,X-Requested-With" +``` + +!!! danger "Security Warning" + Never use wildcard (`*`) for `CORS_ORIGINS` in production environments. Always specify exact allowed domains to prevent unauthorized cross-origin requests. + ### User Tiers Initial tier configuration: diff --git a/scripts/gunicorn_managing_uvicorn_workers/.env.example b/scripts/gunicorn_managing_uvicorn_workers/.env.example new file mode 100644 index 00000000..1c1e5859 --- /dev/null +++ b/scripts/gunicorn_managing_uvicorn_workers/.env.example @@ -0,0 +1,67 @@ +# ============================================================================ +# WARNING: EXAMPLE CONFIGURATION - DO NOT USE IN PRODUCTION AS-IS +# ============================================================================ +# This file contains example values for development/testing purposes only. +# +# SECURITY CRITICAL: Before deploying to production, you MUST: +# 1. Copy this file to src/.env +# 2. Generate a new SECRET_KEY using: openssl rand -hex 32 +# 3. Change all passwords (POSTGRES_PASSWORD, ADMIN_PASSWORD, etc.) +# 4. Update all sensitive configuration values +# +# Using these example values in production is a SECURITY RISK. +# ============================================================================ + +# ------------- app settings ------------- +APP_NAME="My Project" +APP_DESCRIPTION="My Project Description" +APP_VERSION="0.1" +CONTACT_NAME="Me" +CONTACT_EMAIL="my.email@example.com" +LICENSE_NAME="MIT" + +# ------------- database ------------- +POSTGRES_USER="postgres" +POSTGRES_PASSWORD=1234 +POSTGRES_SERVER="db" +POSTGRES_PORT=5432 +POSTGRES_DB="postgres" +POSTGRES_ASYNC_PREFIX="postgresql+asyncpg://" + +# ------------- crypt ------------- +SECRET_KEY=953843cd400d99a039698e7feb46ca1b3e33c44fee2c24c6d88cf0f0b290fb61 +ALGORITHM=HS256 +ACCESS_TOKEN_EXPIRE_MINUTES=60 + +# ------------- admin ------------- +ADMIN_NAME="admin" +ADMIN_EMAIL="admin@example.com" +ADMIN_USERNAME="admin" +ADMIN_PASSWORD="Str1ngst!" + +# ------------- redis cache ------------- +REDIS_CACHE_HOST="redis" +REDIS_CACHE_PORT=6379 + +# ------------- redis queue ------------- +REDIS_QUEUE_HOST="redis" +REDIS_QUEUE_PORT=6379 + +# ------------- redis rate limit ------------- +REDIS_RATE_LIMIT_HOST="redis" +REDIS_RATE_LIMIT_PORT=6379 + +# ------------- client side cache ------------- +CLIENT_CACHE_MAX_AGE=60 + +# ------------- test ------------- +TEST_NAME="Tester User" +TEST_EMAIL="test@tester.com" +TEST_USERNAME="testeruser" +TEST_PASSWORD="Str1ngT3st!" + +# ------------- environment ------------- +ENVIRONMENT="staging" + +# ------------- first tier ------------- +TIER_NAME="free" diff --git a/scripts/gunicorn_managing_uvicorn_workers/Dockerfile b/scripts/gunicorn_managing_uvicorn_workers/Dockerfile new file mode 100644 index 00000000..98d55fcf --- /dev/null +++ b/scripts/gunicorn_managing_uvicorn_workers/Dockerfile @@ -0,0 +1,27 @@ +# --------- requirements --------- + +FROM python:3.11 as requirements-stage + +WORKDIR /tmp + +RUN pip install poetry + +COPY ./pyproject.toml ./poetry.lock* /tmp/ + +RUN poetry export -f requirements.txt --output requirements.txt --without-hashes + + +# --------- final image build --------- +FROM python:3.11 + +WORKDIR /code + +COPY --from=requirements-stage /tmp/requirements.txt /code/requirements.txt + +RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt + +COPY ./src/app /code/app + +# -------- replace with comment to run with gunicorn -------- +# CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] +CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker", "-b", "0.0.0.0:8000"] diff --git a/scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml b/scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml new file mode 100644 index 00000000..8b4cefdf --- /dev/null +++ b/scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml @@ -0,0 +1,112 @@ +services: + web: + build: + context: . + dockerfile: Dockerfile + # -------- Both of the following commands should be commented to run with nginx -------- + + # -------- replace with comment to run with gunicorn or just uvicorn -------- + # command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload + command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 + env_file: + - ./src/.env + # -------- replace with expose if you are using nginx -------- + ports: + - "8000:8000" + # expose: + # - "8000" + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + worker: + build: + context: . + dockerfile: Dockerfile + command: arq app.core.worker.settings.WorkerSettings + env_file: + - ./src/.env + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + db: + image: postgres:13 + env_file: + - ./src/.env + volumes: + - postgres-data:/var/lib/postgresql/data + expose: + - "5432" + + redis: + image: redis:alpine + volumes: + - redis-data:/data + expose: + - "6379" + + #-------- uncomment to run with nginx -------- + # nginx: + # image: nginx:latest + # ports: + # - "80:80" + # volumes: + # - ./default.conf:/etc/nginx/conf.d/default.conf + # depends_on: + # - web + + #-------- uncomment to create first superuser -------- + create_superuser: + build: + context: . + dockerfile: Dockerfile + env_file: + - ./src/.env + depends_on: + - db + - web + command: python -m src.scripts.create_first_superuser + volumes: + - ./src:/code/src + + #-------- uncomment to run tests -------- + # pytest: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - db + # - create_superuser + # - redis + # command: python -m pytest ./tests + # volumes: + # - .:/code + + #-------- uncomment to create first tier -------- + # create_tier: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - create_superuser + # - db + # - web + # command: python -m src.scripts.create_first_tier + # volumes: + # - ./src:/code/src + +volumes: + postgres-data: + redis-data: + \ No newline at end of file diff --git a/scripts/local_with_uvicorn/.env.example b/scripts/local_with_uvicorn/.env.example new file mode 100644 index 00000000..0e741359 --- /dev/null +++ b/scripts/local_with_uvicorn/.env.example @@ -0,0 +1,72 @@ +# ============================================================================ +# WARNING: EXAMPLE CONFIGURATION - DO NOT USE IN PRODUCTION AS-IS +# ============================================================================ +# This file contains example values for development/testing purposes only. +# +# SECURITY CRITICAL: Before deploying to production, you MUST: +# 1. Copy this file to src/.env +# 2. Generate a new SECRET_KEY using: openssl rand -hex 32 +# 3. Change all passwords (POSTGRES_PASSWORD, ADMIN_PASSWORD, etc.) +# 4. Update all sensitive configuration values +# +# Using these example values in production is a SECURITY RISK. +# ============================================================================ + +# ------------- app settings ------------- +APP_NAME="My Project" +APP_DESCRIPTION="My Project Description" +APP_VERSION="0.1" +CONTACT_NAME="Me" +CONTACT_EMAIL="my.email@example.com" +LICENSE_NAME="MIT" + +# ------------- database ------------- +POSTGRES_USER="postgres" +POSTGRES_PASSWORD=1234 +POSTGRES_SERVER="db" +POSTGRES_PORT=5432 +POSTGRES_DB="postgres" +POSTGRES_ASYNC_PREFIX="postgresql+asyncpg://" + +# ------------- crypt ------------- +SECRET_KEY=de2132a4a3a029d6a93a2aefcb519f0219990f92ca258a7c5ed938a444dbe1c8 +ALGORITHM=HS256 +ACCESS_TOKEN_EXPIRE_MINUTES=60 + +# ------------- admin ------------- +ADMIN_NAME="admin" +ADMIN_EMAIL="admin@example.com" +ADMIN_USERNAME="admin" +ADMIN_PASSWORD="Str1ngst!" + +# ------------- redis cache ------------- +REDIS_CACHE_HOST="redis" +REDIS_CACHE_PORT=6379 + +# ------------- redis queue ------------- +REDIS_QUEUE_HOST="redis" +REDIS_QUEUE_PORT=6379 + +# ------------- redis rate limit ------------- +REDIS_RATE_LIMIT_HOST="redis" +REDIS_RATE_LIMIT_PORT=6379 + +# ------------- client side cache ------------- +CLIENT_CACHE_MAX_AGE=60 + +# ------------- CORS ------------- +CORS_ORIGINS="*" +CORS_METHODS="*" +CORS_HEADERS="*" + +# ------------- test ------------- +TEST_NAME="Tester User" +TEST_EMAIL="test@tester.com" +TEST_USERNAME="testeruser" +TEST_PASSWORD="Str1ngT3st!" + +# ------------- environment ------------- +ENVIRONMENT="local" + +# ------------- first tier ------------- +TIER_NAME="free" diff --git a/scripts/local_with_uvicorn/Dockerfile b/scripts/local_with_uvicorn/Dockerfile new file mode 100644 index 00000000..2c3795ab --- /dev/null +++ b/scripts/local_with_uvicorn/Dockerfile @@ -0,0 +1,44 @@ +# --------- Builder Stage --------- +FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim AS builder + +# Set environment variables for uv +ENV UV_COMPILE_BYTECODE=1 +ENV UV_LINK_MODE=copy + +WORKDIR /app + +# Install dependencies first (for better layer caching) +RUN --mount=type=cache,target=/root/.cache/uv \ + --mount=type=bind,source=uv.lock,target=uv.lock \ + --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ + uv sync --locked --no-install-project + +# Copy the project source code +COPY . /app + +# Install the project in non-editable mode +RUN --mount=type=cache,target=/root/.cache/uv \ + uv sync --locked --no-editable + +# --------- Final Stage --------- +FROM python:3.11-slim-bookworm + +# Create a non-root user for security +RUN groupadd --gid 1000 app \ + && useradd --uid 1000 --gid app --shell /bin/bash --create-home app + +# Copy the virtual environment from the builder stage +COPY --from=builder --chown=app:app /app/.venv /app/.venv + +# Ensure the virtual environment is in the PATH +ENV PATH="/app/.venv/bin:$PATH" + +# Switch to the non-root user +USER app + +# Set the working directory +WORKDIR /code + +# -------- replace with comment to run with gunicorn -------- +CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] +# CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker", "-b", "0.0.0.0:8000"] diff --git a/scripts/local_with_uvicorn/docker-compose.yml b/scripts/local_with_uvicorn/docker-compose.yml new file mode 100644 index 00000000..14cf968d --- /dev/null +++ b/scripts/local_with_uvicorn/docker-compose.yml @@ -0,0 +1,112 @@ +services: + web: + build: + context: . + dockerfile: Dockerfile + # -------- Both of the following commands should be commented to run with nginx -------- + + # -------- replace with comment to run with gunicorn -------- + command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload + # command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 + env_file: + - ./src/.env + # -------- replace with expose if you are using nginx -------- + ports: + - "8000:8000" + # expose: + # - "8000" + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + worker: + build: + context: . + dockerfile: Dockerfile + command: arq app.core.worker.settings.WorkerSettings + env_file: + - ./src/.env + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + db: + image: postgres:13 + env_file: + - ./src/.env + volumes: + - postgres-data:/var/lib/postgresql/data + expose: + - "5432" + + redis: + image: redis:alpine + volumes: + - redis-data:/data + expose: + - "6379" + + #-------- uncomment to run with nginx -------- + # nginx: + # image: nginx:latest + # ports: + # - "80:80" + # volumes: + # - ./default.conf:/etc/nginx/conf.d/default.conf + # depends_on: + # - web + + #-------- uncomment to create first superuser -------- + create_superuser: + build: + context: . + dockerfile: Dockerfile + env_file: + - ./src/.env + depends_on: + - db + - web + command: python -m src.scripts.create_first_superuser + volumes: + - ./src:/code/src + + #-------- uncomment to run tests -------- + pytest: + build: + context: . + dockerfile: Dockerfile + env_file: + - ./src/.env + depends_on: + - db + - create_superuser + - redis + command: python -m pytest ./tests + volumes: + - .:/code + + #-------- uncomment to create first tier -------- + # create_tier: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - create_superuser + # - db + # - web + # command: python -m src.scripts.create_first_tier + # volumes: + # - ./src:/code/src + +volumes: + postgres-data: + redis-data: + diff --git a/scripts/production_with_nginx/.env.example b/scripts/production_with_nginx/.env.example new file mode 100644 index 00000000..6f9c5d68 --- /dev/null +++ b/scripts/production_with_nginx/.env.example @@ -0,0 +1,67 @@ +# ============================================================================ +# WARNING: EXAMPLE CONFIGURATION - DO NOT USE IN PRODUCTION AS-IS +# ============================================================================ +# This file contains example values for development/testing purposes only. +# +# SECURITY CRITICAL: Before deploying to production, you MUST: +# 1. Copy this file to src/.env +# 2. Generate a new SECRET_KEY using: openssl rand -hex 32 +# 3. Change all passwords (POSTGRES_PASSWORD, ADMIN_PASSWORD, etc.) +# 4. Update all sensitive configuration values +# +# Using these example values in production is a SECURITY RISK. +# ============================================================================ + +# ------------- app settings ------------- +APP_NAME="My Project" +APP_DESCRIPTION="My Project Description" +APP_VERSION="0.1" +CONTACT_NAME="Me" +CONTACT_EMAIL="my.email@example.com" +LICENSE_NAME="MIT" + +# ------------- database ------------- +POSTGRES_USER="postgres" +POSTGRES_PASSWORD=1234 +POSTGRES_SERVER="db" +POSTGRES_PORT=5432 +POSTGRES_DB="postgres" +POSTGRES_ASYNC_PREFIX="postgresql+asyncpg://" + +# ------------- crypt ------------- +SECRET_KEY=db210482bea9aae930b00b17f3449a21340c281ac7e1f2a4e33e2c5cd77f291e +ALGORITHM=HS256 +ACCESS_TOKEN_EXPIRE_MINUTES=60 + +# ------------- admin ------------- +ADMIN_NAME="admin" +ADMIN_EMAIL="admin@example.com" +ADMIN_USERNAME="admin" +ADMIN_PASSWORD="Str1ngst!" + +# ------------- redis cache ------------- +REDIS_CACHE_HOST="redis" +REDIS_CACHE_PORT=6379 + +# ------------- redis queue ------------- +REDIS_QUEUE_HOST="redis" +REDIS_QUEUE_PORT=6379 + +# ------------- redis rate limit ------------- +REDIS_RATE_LIMIT_HOST="redis" +REDIS_RATE_LIMIT_PORT=6379 + +# ------------- client side cache ------------- +CLIENT_CACHE_MAX_AGE=60 + +# ------------- test ------------- +TEST_NAME="Tester User" +TEST_EMAIL="test@tester.com" +TEST_USERNAME="testeruser" +TEST_PASSWORD="Str1ngT3st!" + +# ------------- environment ------------- +ENVIRONMENT="production" + +# ------------- first tier ------------- +TIER_NAME="free" diff --git a/scripts/production_with_nginx/Dockerfile b/scripts/production_with_nginx/Dockerfile new file mode 100644 index 00000000..8b8ccfee --- /dev/null +++ b/scripts/production_with_nginx/Dockerfile @@ -0,0 +1,27 @@ +# --------- requirements --------- + +FROM python:3.11 as requirements-stage + +WORKDIR /tmp + +RUN pip install poetry + +COPY ./pyproject.toml ./poetry.lock* /tmp/ + +RUN poetry export -f requirements.txt --output requirements.txt --without-hashes + + +# --------- final image build --------- +FROM python:3.11 + +WORKDIR /code + +COPY --from=requirements-stage /tmp/requirements.txt /code/requirements.txt + +RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt + +COPY ./src/app /code/app + +# -------- replace with comment to run with gunicorn -------- +CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload"] +# CMD ["gunicorn", "app.main:app", "-w", "4", "-k", "uvicorn.workers.UvicornWorker", "-b", "0.0.0.0:8000"] diff --git a/scripts/production_with_nginx/docker-compose.yml b/scripts/production_with_nginx/docker-compose.yml new file mode 100644 index 00000000..77c62967 --- /dev/null +++ b/scripts/production_with_nginx/docker-compose.yml @@ -0,0 +1,110 @@ +services: + web: + build: + context: . + dockerfile: Dockerfile + # -------- Both of the following commands should be commented to run with nginx -------- + + # -------- replace with comment to run with gunicorn -------- + # command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload + command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker -b 0.0.0.0:8000 + env_file: + - ./src/.env + # -------- replace ports with expose if you are using nginx -------- + # ports: + # - "8000:8000" + expose: + - "8000" + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + worker: + build: + context: . + dockerfile: Dockerfile + command: arq app.core.worker.settings.WorkerSettings + env_file: + - ./src/.env + depends_on: + - db + - redis + volumes: + - ./src/app:/code/app + - ./src/.env:/code/.env + + db: + image: postgres:13 + env_file: + - ./src/.env + volumes: + - postgres-data:/var/lib/postgresql/data + expose: + - "5432" + + redis: + image: redis:alpine + volumes: + - redis-data:/data + expose: + - "6379" + + #-------- uncomment to run with nginx -------- + nginx: + image: nginx:latest + ports: + - "80:80" + volumes: + - ./default.conf:/etc/nginx/conf.d/default.conf + depends_on: + - web + + #-------- uncomment to create first superuser -------- + # create_superuser: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - db + # - web + # command: python -m src.scripts.create_first_superuser + # volumes: + # - ./src:/code/src + + #-------- uncomment to run tests -------- + # pytest: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - web + # - redis + # command: python -m pytest ./tests + # volumes: + # - .:/code + + #-------- uncomment to create first tier -------- + # create_tier: + # build: + # context: . + # dockerfile: Dockerfile + # env_file: + # - ./src/.env + # depends_on: + # - create_superuser + # - db + # - web + # command: python -m src.scripts.create_first_tier + # volumes: + # - ./src:/code/src + +volumes: + postgres-data: + redis-data: